Home » fraud

Tag: fraud

File Integrity Monitoring Could Save Your Company

File Integrity Monitoring and How It Could Save Your Company

With the increase in data breaches, the data security world is a much scarier place today. According to the most recent stats from ITRC (Identity Theft Resource Center), 2017 was a record breaking year for data breaches, and 2018 is already on pace to be more of the same. So with threats coming left and right, what steps can you take to better protect your assets? Enter File Integrity Monitoring.

Seconds of Damage, Months of Recovery

In many cases, you may not know for a long time you have been compromised. According to CNBC, most companies aren’t aware of a breach until weeks after it has happened. This is likely due to the speed in which the incident occurs. The attacker is there and gone in seconds. Verizon’s 2016 Data Breach Investigations states that 93 percent of cases where data was stolen, systems were compromised in minutes or less, but in over 80 percent of cases, victims didn’t find the breach for weeks or more. This kind of damage to your business and reputation can take months, if not years, to repair.

Hackers Often Leave a Trail

So back to File Integrity Monitoring and why it is so critically important. File Integrity Monitoring (FIM) is the first line of defense of any organization wishing to protect its assets and data. To explain further, once a breach is under way in your network, the attacker will often do one or more of the following.

  • Modify critical systems, application binaries and configuration files
  • Access or modify data files
  • Modify or delete any log data to hide their tracks

The research done by Verizon analyzed more than 100,000 incidents and 2,260 breaches. They found that more than 90 percent of the breaches will fall into this same pattern. By having a FIM system in place, you’ll be able to monitor for these subtle changes and be instantly alerted if any of the above events have been detected.

File Integrity Monitoring Sniffs Out the Breadcrumbs

File Integrity Monitoring is such a valuable tool that we consider it a vital part of the Advanced Security Package. FIM will run every day at an inspection time determined by you and will watch for any changes within your network. A digest of the inspection report can then be emailed to you on a daily or weekly basis. Additionally, another helpful feature is a heatmap data visualization, which helps you quickly assess the state of your network. Events on this heatmap can be filtered by severity in order to help you focus on the most important events in your environment.

You Don’t Need a Fortress

A further quote from the Verizon study really drives this home. “There’s no such thing as an impenetrable system, but often even a half-decent defense will deter many cybercriminals — they’ll move on and look for an easier target. Sadly, many organizations fail to achieve even that modest ambition.”

Sometimes, it’s not about the size of your castle. It’s more about the size of your moat.

Put FIM in Place Today

File Integrity Monitoring is something that is available to all Wind River customers as part of the Advanced Security Package. If you’re interested in learning more or you’re an existing customer looking to get these tools in place, feel free to contact us today. We believe in creating Security First environments and delivering these capabilities in a way that saves you money.

What-Are-My-Odds-of-a-Data-Breach

Seriously, What Are My Odds of a Data Breach?

Unfortunately, your chances of experiencing a data breach are growing each year. In fact, the trends and shifts in awareness pertaining to data security are frightening to watch unfold. I read a recent study that polled adults in the US, UK and Australia that asked if the number of criminals trying to steal personal information is increasing. Not surprisingly, the survey indicated that 85% of respondents felt that it was.

We recently discussed why having a “Security First” mindset and approach is important, and as we look at what is happening with breaches, the importance is highlighted even more.

According to the ITRC (Identity Theft Resource Center), cyberattacks and breaches have grown both in frequency and in the amount of losses sustained. Here are some of the statistics as noted in their 2017 Executive Summary.

  • Breaches again hit a new record in 2017, with 1,579 breaches tracked, up 44.7 percent from 1,091 in 2016, as businesses and government entities move toward timely reporting
  • The number of records exposed rose to about 179 million, compared with 37 million in 2016
  • Businesses saw 870 breaches (55% of the total)
  • Medical/healthcare organizations were affected by 374 breaches (23.7 percent of total breaches)
  • Banking/Credit/Financial saw 134 breaches (8.5%)

For a more detailed breakdown, you can see the year-over-year data breach numbers by sector and category.

Another key statistic from the report indicates that 59.3% of breaches were from hacking. Hacking includes methods such as phishing, malware and skimming.

With the number of breaches increasing and hacking being the number one method, it is clear that one area of your defense strategy needs to focus on identifying and mitigating the damage as quickly as possible.

Part of our “Security First” approach is to help arm all of our customers with additional ways to keep their customer or patient data safe. Our goal this year is to educate our customers about data breach risks and how they can start down the path to be “Security First.” An important component of that process will be encouraging them to take advantage of the security and monitoring tools in our Advanced Security Package.

If you’d like more information about other issues we see becoming more prevalent in the market, feel free to contact us or read about the dangers of ecommerce malware.

Is Being PCI DSS Compliant the Same as Being Secure?

Is Being Compliant the Same as Being Secure?

I was reading a study published by Javelin the other day, and a few details really stood out to me.

“The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters.” (Al Pascual, Senior Vice President, Research Director and Head of Fraud with Javelin Strategy & Research)

One of the implications of this statement is that fraudsters are being even more aggressive and looking for data, all kinds of data. While being PCI DSS compliant at any given point in time may seem comforting, the reality is the fight is ongoing, and it will take a higher level of diligence to not have you or your customers impacted.

How Safe Are We

The study included a frightening statistic that really emphasized current security issues.

“16.7 million Americans were victims last year, up from 15.4 million last year, the previous high.”

These are only the confirmed victims, not those with compromised information that hasn’t been used yet.

It’s Not Just Card Data

Just as sobering was the fact that the fraudsters aren’t just looking for card data.

“Large-scale compromise of existing non-card accounts in 2017 was clearly facilitated by poor controls as fraudsters capitalize on weak authentication.”

Even in the card data arena, the focus is changing.

“Card not present fraud is now 81 percent more likely than Point of Sale (POS) fraud.”

As card present counterfeit fighting capabilities improve with chip cards, the fight starts to shift online.

Compliance is the Wrong Goal

These types of statistics make it clear that the goal of being “compliant” is too small. Being PCI DSS compliant does not equal being secure. To combat these issues, organizations will need to adopt a “security first” mindset and approach, as opposed to the “finish line” approach.

Is there a silver bullet out there? Unfortunately, no.

As with most things that can be complex, it is about being diligent. Part of the answer is to always review your readiness. It also means leveraging key tools and expertise to help minimize exposure.

Are You “Security First”?

A “security first” approach can be hard, as many organizations have IT staff that are already stretched thin and aren’t able to make security their primary focus. Understandably, their role has been to focus the majority of their efforts on keeping your organization’s systems and technology running.

Advanced Security Package: A Strong Step

At Wind River Financial, we see a need to help our clients by bringing a “security first” approach. It is for this reason that we engaged with Trustwave and put together the Advanced Security Package (ASP) as strong steps toward this goal. It is too important not to take these steps.

The benefits of partnering with us and going down this path are many. It allows us to provide tools and capabilities that not only reduce your risk but save you time and money.

It’s Not Always Good to Wait

If you have not yet heard about the Advanced Security Package, you will soon. Our goal for 2018 is to reach out to every customer in order to help them in this endeavor.

This isn’t something that can wait. If you have not been contacted yet, feel free to read the details of ASP and then contact your Relationship Manager.

We look forward to helping you become “Security First.”

Holiday Season Reminders: Prevent Fraudulent Transactions and Chargebacks

With the holiday shopping season upon us, it’s a good time to review some good practices in helping prevent your business from incurring losses from fraudulent transactions and chargebacks.

Face-to-Face Transactions
If the card presented for payment is not a chip card, always swipe the card. In the event of a Chargeback, this provides proof the card was present at the time of the transaction.

• If presented with a chip card and you have an EMV terminal, have your customer insert the card into the terminal and leave it there until the transaction is complete.  (If you have not yet upgraded to an EMV Terminal, please contact your Relationship Manager at 800-704-7253.)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Have your refund policy printed on the receipt directly above or below the cardholder signature line in letters ¼” high.

Internet or Phone Transactions (Card Not Present)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Verify the cardholder’s address via Address Verification Service (AVS). The best AVS response is ”Y” for Yes or “Match”. This means the cardholder has given you the same address as the billing address for the card. If you are still uncertain about the transaction (e.g., large transaction, first time customer, splitting sale amount between cards, etc), you can call the issuing bank or the Voice Authorization Center.

• Ask the customer for the CVV/CVC Code on the back of their card (front for Amex). This is a 3 or 4-digit number that is now commonly used to help verify that the customer possesses the physical card. Most terminals prompt you for this information and will return a negative response if the number provided is not correct.

• Ship the merchandise to the AVS address and obtain signed proof of delivery or other method available from your shipper.

• Charge the cardholder’s account at the time the merchandise is shipped.

• Have your checkout page designed such that a customer must acknowledge your cancellation or refund policy. Be able to produce the acknowledgement in the event of a chargeback resulting from a refund dispute. Have a clear and concise refund policy.

NOTE: If a card is not present at the time of sale, a merchant cannot verify that the legitimate cardholder authorized the sale. The steps noted above may help minimize disputes and fraud, but they cannot guarantee avoidance of chargebacks. Card not present transactions are inherently more risky than those in which the card is present.

I hope this is a good reminder and something you might wish to review with your staff.  If we can help or you have a concern you can always call Client Care at 800-704-7253 or email us at info@WindRiverFinancial.com.  Here is my contact information as well.

Wishing you a very Happy Holiday season.

 

 

CYBER SECURITY AND THE ART OF WAR

Successful cyber-attacks can ruin businesses, livelihoods, and even the lives of Small and Medium Business (SMB) owners and their customers. The enemy continues to grow stronger, launching over 4,000 attacks at SMBs daily. And, the stakes could not be higher. This is not a game……this is a war.

• The majority of cyber-attacks are directed at SMBs, due mostly to the attacker’s perception of weaker defenses at SMBs as compared to larger enterprises with greater resources and defenses in place.
• Post-attack remediation costs of an attack can extend into the hundreds of thousands of dollars for an SMB
• 70% of SMBs attacked go out of business in less than 2 years after a significant breach

So, how do we win?

Oddly enough in these tech forward times, the answers may exist in a book written over 2,500 years ago.

Sun Tzu, the Chinese general, military strategist and philosopher who lived in the 5th century B.C. is best known for authoring, “The Art of War”. This seminal work has influenced military strategy from when it was written to present day. The Japanese military adopted many of the book’s principles as it built itself into a modern military power. During the Vietnam War, Ho Chi Minh had it translated and given to his officers for study, contributing to the Vietnamese Army’s success against the French and American forces. More recently, during the Gulf War American Generals Schwarzkopf and Powell employed Sun Tzu’s philosophies during that conflict. And to this day, “The Art of War” continues to be a part of the Marine Corps Professional Reading Program.

The following are a few key “Art of War” principles, rendered to address the cyber-security challenges faced by today’s business owner.


“Every battle is won before it’s ever fought.”

Sun Tzu speaks to the importance of being fully committed and prepared, well in advance of any engagement with the enemy. Did you know that approximately 80% of businesses are not fully PCI compliant? To extend the analogy, this means that 4 out of 5 businesses are already losing the battle.


“The expert in battle moves the enemy, and is not moved by him.”

An effective cyber-security strategy must be proactive, agile and restless. The advantage exists in forcing the cyber-criminal to react to the defenses being put in place. Ask yourself if you are acting, or reacting.


“A clever fighter is one who not only wins, but excels in winning with ease.”

This idea is similar to the modern day reference to people who exhibit mastery within their field. Elite athletes or artists for instance who, “make it look easy”. But as we all know, that mastery is the result of untold hours of consistent and focused practice of their craft. To “win” against cyber-attacks, you must persistently invest the time and energy necessary to excel at defending your enterprise.


“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”

This translates to the importance of establishing and maintaining a very powerful security schema, while remaining opaque to outside forces. This of course includes software solutions, but also includes well-defined security policies and even training protocols for employees, minimizing inroads for attackers. And in the event that an attack is detected, we must move swiftly and strongly to obliterate it.


“The greatest victory is that which requires no battle.”

This is the ideal state that we strive for. One in which the enemy chooses to not attack, as a result of the perceived strength of our defenses.

We at Wind River Financial in partnership with Trustwave are excited to offer our client partners the robust offering with in the Advanced Security Package (ASP) as we all continue to fight this battle. We encourage you to contact your Relationship Manager for your Login so that you can activate these enhanced tools immediately. These types of serial upgrades are critical to defend your business. Equally important is the commitment of the SMB owner to making cyber security a top priority. Having the very best tools in your arsenal, in tandem with a committed and vigilant philosophy is the best strategy for winning this war.

To learn more about the tools you can go here. To speak with a Relationship Manager call our Client Care 800-704-7253 ext. 6828

Who are you?

As a fraud expert, I recall a certain fraud conference I attended years ago with a presentation by one of the U.S. Attorney’s Offices in New York. The conference was hosted by the Int. Assoc. of Financial Crimes Investigators (IAFCI), an association for whom I now co-chair the Cyber Fraud Industry Group. The U.S. Attorney’s Office began their presentation with background music of Who Are You by The Who – the theme song of the original CSI TV series. They played this while running through a slide show of articles about identity theft which were endless. The salient point was that identity theft was already out of control at that time.

This memory is pertinent to discussions today about the Equifax breach and questions I’m getting from, seemingly, all directions. Most people are asking “what should I do?” Everyone from family members to clients are asking.

The issue has a long history and probably begins with the practice of entities using SSNs as a unique identifier for individuals. The SSN itself was only meant to be used for social security and I’ve heard that it’s actually illegal to use it for other purposes. However, I think you’ll agree that many entities still use it for identity purposes – both private and public sectors.

On top of this, the credit rating industry in the U.S. has private entities (credit reporting agencies) that make money by purchasing your payment history from creditors, creating profiles, and then selling a credit score to potential new creditors so that they can determine their risk. They also maintain consumer personal identifiers within the profiles that can be used to positively identify credit applicants. This is something U.S. financial institutions are required to do to help combat money laundering and other crimes. What could possibly go wrong with entities storing this sensitive information?

Another issue the financial services industry is struggling with are synthetic identities. These are identities that are completely false, but nevertheless, criminals are able to establish credit profiles at credit reporting agencies with the false identifiers and apply for credit under them.

Where does it end? That’s a good question. If I ask “Who are you?” giving me your first name may be enough if I know you. However, if I’m a financial institution and you’re applying for a loan or a credit card, I have to rely primarily on the credit profile as your “identity.”

This is where we turn back to the Equifax breach in which, at the time of this writing, was the compromise of approximately 143 million consumer profiles (about half the population of the U.S.) and 209,000 credit card numbers.

The compromised information can be used to open financial accounts such as credit cards, loans, lines of credit, etc. It could be used to file a false income tax return on your behalf in order to get an income tax refund. It can also be used for non-financial services related ID theft.

There are plenty of good resources for information on what to do now. One is the Financial Services Information Sharing & Analysis Center (FS-ISAC) and the Federal Trade Commission (FTC). These resources provide information that you can use to determine your personal best course of action that may be based on characteristics such as your age, your personal credit needs such as whether you need instant credit, or other parameters.

They also provide the links to complete any actions you may wish to complete such as checking to see if your information is known to have been included in the Equifax data compromise, signing up for credit monitoring, placing a freeze on your credit reports, placing a fraud alert on your credit reports, or taking other action.

Some actions you can take to be defensive against identity theft over the long term include:

• Filing your income tax return as soon as possible each year so that criminals can’t file a false one using your SSN

• Reviewing your credit reports each year free of cost (annualcreditreport.com). You can also run queries on the SSNs of your underage children to ensure that they come back blank or not on file. If they come back with accounts, you will want to investigate further and file consumer disputes on their behalf if necessary. This can be particularly important in the time period before your child graduates high school as they may be applying for student or other types of loans which is a bad time to find out they were the victims of identity theft with ruined credit.

• Utilizing credit monitoring services. There are some free services to do this such as certain credit card accounts that offer this as an included service, ¹Credit Karma, credit monitoring services offered by entities after they have been breached (Equifax is offering this), etc.

The Equifax data compromise was a large one, but they are certainly not the only one. Also remember that your information is on file with the federal government – several departments of which have experienced their own data compromises. The point being that you should assume your identity information is at risk and you should act accordingly over the long term while helping your children and older generations do the same. At the end of the day, if your credit becomes damaged from a fraudulent entry, you can file a dispute with the credit agency or agencies. Federal law requires the agencies to then take certain actions to verify with the reporting creditor or correct or remove the entry which should improve your credit rating situation.

So…who are you?

 

 

¹Wind River Financial does not endorse or promote any particular service. Those mentioned are for example purposes.

Do You Know Who’s On the Other End of That Line?

A certain type of scam has resurfaced recently – one that has been around for a long time in different iterations. We’ve blogged about this before, but perhaps it’s time for a reminder. What I refer to is a “fake authorization scam” and it works like this.

The fraud suspect is attempting to purchase a big ticket item or conduct a credit card cash advance in a financial institution. The card is declined and they have an excuse such as “it must be a transaction amount limit” or “a daily limit.”  They pretend to call the number on the back of their credit card or they have you call it. However, unbeknownst to you, the phone number has been changed on the back of this counterfeit card, and it rings to the cell phone of an accomplice of theirs.

Their accomplice is skilled at sounding like they work for the credit card issuer. They use common terms and professional sounding language. They indicate a reason that the transaction was declined, but that funds are available and they will walk you through a manual authorization.

They have you press certain keys on your credit card terminal and, unbeknownst to you once again, they have taken your terminal offline or into training mode. In this mode, any number entered as an approval code will appear as an approval even though the terminal is not communicating with the card issuer to obtain authorization.

The happy “customer” then goes on their way never to be heard from again. Then you receive a chargeback from the credit card issuer for “no valid authorization.” You call your credit card processor and insist that you spoke with the card issuer and they gave you an authorization code that approved on your terminal. Your credit card processor can only see that the card issuer has reported that the authorization code was not valid. Unless a valid code is provided, you’re going to lose the chargeback as the real cardholder wants their money back from this fraudulent transaction on their account.

You thought you were going to have a big sale and instead you’re sitting with a loss. The chargeback process does not seem fair. You did your best to “do it right” and you still got scammed. There are many frustrating things about this type of scam.

There are a few things you can do to help protect your business from this. First, never (and I mean NEVER), accept a customer’s cell phone if they say they’ve contacted their card issuer. Joint with this, do not call the number on the back of their card since it may have been modified. The phone number on the back of a card is for the cardholder only.

In the very rare event that a cardholder needs to contact their card issuer to get special permission to run a larger transaction, they can do so on their own while you, as the merchant, run the transaction the way it was intended. That is to insert (if it’s a chip card) or swipe the magnetic strip and get an approval.

If the card declines, it’s a sign that something is wrong. Are there other signs present that this customer may not be who they pertain to be? Was the sale too easy? Are they “buying” rather than “shopping?” Is the merchandise something they can easily resell on ebay?

We recommend asking for another form of payment at this point. If, at your discretion, you choose to attempt to run the card again, you’re increasing the chances of not getting paid for the transaction. We do not want this to happen which is why we recommend stopping at a first decline and asking for that second form of payment.

Better safe than sorry…

Bring on the Growth! But not the frustration and headaches of Chargebacks!

Retail sales (minus gas) are predicted to jump 4.1% this year*, which would mark the best growth since 2014! Since 70% of consumer spending is done electronically, it is an especially good time to brush up on the topic of minimizing Chargebacks.

Running a business is a difficult job and Wind River understands that you don’t need the added frustration or headaches associated with Chargebacks. Check out our refreshed quick reference guide How to Minimize Chargebacks.

Secondly, as you know the fraudsters (those bad guys) are always looking for ways to take advantage of you. Take an extra moment to read and share with your staff our article, Guarding against On-line or Card Not Present Fraud.

*Transact Special Report: U.S. Economic Indicators

 

E-commerce fraud protection tools can help you.

If your business is experiencing impactful e-commerce fraud and related chargebacks, you may want to consider a real-time fraud analytics solution.

Wind River Financial now partners with several solutions that use artificial intelligence to help identify fraudulent orders, decrease false positives, and even provide confidence in shipping internationally. Some solutions even cover fraud chargebacks if they did not detect the order as being potentially fraudulent. With chip card acceptance continuing to grow, online fraud is growing at a significant pace.

Contact us at 800 704-7253, info@WindRiverFinancial.com or contact us and let us help you explore the options that might best fit your business needs and save you money and time.

Are criminals using your website’s shopping cart to test stolen credit card information?

Does your business participate in e-commerce? If so, it may only be a matter of time before criminals use your website to test stolen credit card information. They also like to use e-commerce websites to systematically test different credit card expiration dates until they find the right one.

Wind River Financial is aware of specific cases of our client’s websites being used and it is definitely an increasing type of fraudulent activity.

Criminals often use “bots” or scripts that automatically input data so that they can test large numbers of credit cards in a short period of time.

We strongly recommend being proactive and putting protection in place to help avoid additional authorization or chargeback costs for the additional fraudulent transaction attempts.

Because Wind River Financial is seeing an increase in this type of activity, we recommend that customers consider options such as Google’s reCaptcha which is a free solution as detailed below and we also recommend that you contact your web developer to use this or another solution to help mitigate automated testing of stolen credit card numbers on your website. Doing so may help prevent excessive authorization fees and other risks to your business.

There are several ways that you can mitigate this type of activity including the following:

  • Ask your web developer to look at the IP address or addresses associated with the fraudulent activity. They can often be blocked individually, regionally, by country, etc. Doing something as simple as this often makes criminals go elsewhere.
  • Use a solution to help distinguish human from machine input such as reCaptcha (by Google). It’s a free product that helps stop bot or script activity on your website and is easy for legitimate customers to use. Your web developer should be able to help you use this solution.
  • Credit card gateways which all e-commerce merchants use often have anti-fraud solutions that may also help mitigate this risk.
  • If need be, you can take your website down for a short period of time to chase criminals elsewhere. However, criminals often return once your website is back up, so a more permanent solution is usually better. This option is not for all and should be considered a last resort.
  • Your web developer may be able to slow down authorizations per “X” amount of time if your website does not have high legitimate volume.

This is not meant to be an exhaustive list, but steps like this should help drive criminals off of your website.

Consider taking proactive steps to head this risk off before your business becomes a victim. Tools like reCaptcha can be effective on your website. Using anti-fraud tools from your credit card gateway may be an option, or potentially blocking foreign IP addresses if you do not conduct international business.

Your web developer may be familiar with other tools that may also be useful.