Posted February 25, 2014 by FreedomPay

EMV a positive step, but not the end of fraud as we know it

Every time word gets out about a security breach, the usual response is that the adoption of the EMV chip card in the United States in late 2015 will prevent future occurrences.


Or maybe not.

Before you begin panicking, do note that the EMV chip card will be a huge improvement over the old standby magnetic strips. The United States is at least a decade behind with the magnetic strips – which were junked in Europe because they were too easy to hack.

Think about it: Who checks a customer’s signature to make sure it matches the one on the back of the credit or debit card (if that signature even appears on the card)? And how difficult is it for a checkout staffer to quickly swipe it through a card-copying machine or just copy down your number?

Let’s talk a little about EMV, which stands for Europay, MasterCard and Visa. It’s a joint effort conceived by the three payment conglomerates to ensure that chip-based payment cards are secure and operate across the globe.

EMV is a global standard for the inter-operation of chip cards and chip card-capable point of sale (POS) terminals and automated teller machines (ATMs) for authenticating credit and debit card transactions.

The EMV chip card should be safer, since checkout staff won’t be handling your card. Instead, they’ll simply hand you the point-of-interaction device; the customer will insert the card and verify the payment themselves with their PIN.

Even if an EMV chip card is stolen, the chip number by itself is useless. The PIN also is needed — and can be changed at any time.

In 2011, the UK Cards Association and Financial Fraud Action UK published a card fraud report which concluded that U.K. counterfeit fraud losses fell by more than 63 percent since 2004 thanks to the EMV chip card (also known as “chip and pin”).

Even better – once merchants upgrade to EMV, it’s not difficult to make the jump to point-to-point encryption (P2PE), which establishes a hardware to hardware connection. That’s important because hardware – unlike software – can’t be infected.

Sounds good so far, right?

It’s definitely a step forward, but it isn’t foolproof.

For one thing, hackers and other bad guys never stop looking for an edge. If there’s a weakness to exploit, they’ll eventually find it.

And while in-store fraud may decline, online fraud may increase, according to security experts.
Instead of using stolen credit-card numbers at stores, criminals will intensify such activity online.

“Fraud is much like natural phenomenon, whether that be the flow of water or electricity, in that it moves to the path of least resistance,” Al Pascual, analyst for Javelin Strategy & Research, told www.csoonline.com.

Although websites will require the PIN to complete a transaction, hackers could likely steal that, as well as a card number. Considering how many people have pins of “1234”or “4321” or “1111,” it isn’t a stretch to think hackers will be able to collect PINs.

Meantime, in 2012, a Cambridge University study reported that payments can be compromised if merchants use incorrect terminals that don’t follow best practices guidelines.

Also in 2012, two MWR Labs researchers demonstrated a “PinPadPwn” attack. They programmed a smartcard that looked like a real credit card and exploited a weakness in an EMV-compatible terminal they’d bought off of eBay. The weakness allowed them to take control of the device screen and install malware that tricked the terminal into believing that any PIN was correct.

The point here isn’t to scare you into a state of panic, but to let you know that security is a never-ending battle – a battle that FreedomPay is fighting with our best-in-class platforms, especially in the aforementioned P2PE market. Together with our industry partners we work to provide the most secure commerce platforms in North America.

Posted February 11, 2014 by FreedomPay

Post-Breach Survival Guide for Consumers

Retail security breaches have continued to make news with reports of over 110 million customers’ financial and personal information potentially being compromised.

While those stories may be yesterday’s news, the ramifications will be long lasting and require consumers to be proactive in protecting their financial data. But what can John Q. Public do?
Some tips are evergreen.

For example, check statements often (and contact your financial institution if charges you don’t recognize appear). Don’t respond to texts or e-mails you don’t recognize. Don’t give out personal information. And use common sense when it comes to financial opportunities – if it appears too good to be true, it probably is.

But wait: There’s more you can do.

If you’re one of the unfortunate hundreds of millions affected, many retailers are offering a year of free credit monitoring and identity theft protection. Go to the retailer’s website to receive an activation code for these services. Those who sign up receive a complimentary copy of their credit report, as well as daily credit monitoring, identity theft insurance and personalized assistance access.

Meantime, if you worry about being compromised, change the PIN on your credit or debit card. Change account passwords, too, and don’t use “123456,” “111111,” ”password” or anything else that made the list of the worst passwords of 2013.

In addition, call one of the credit bureaus and ask them to place a one-call fraud alert on your credit report. Don’t worry about contacting the other two – the one you deal with is legally required to contact the other two. The one-call fraud alert remains in your credit file for at least 90 days and requires creditors to contact you before new accounts are opened or credit lines on existing accounts are increased.

Also consider a credit freeze with the credit bureaus, which shutters your credit reports; no new credit applications can be initiated in your name without your knowledge. By doing so, you receive a personal ID number you can use to “thaw” your credit as needed. Existing lines aren’t impacted by the freeze.

Finally, keep safe by continually educating yourself.

The Consumer Federation of America offers information and links at www.IDTheftInfo.org, as well as tips and a phishing video at www.consumerfed.org/fraud.