This past weekend I read a number of articles pertaining to identity theft and other forms of fraudulent activities happening around the world. Then a gentleman I have known for a number of years stopped by to ask me for some advice. It seems someone had skimmed his American Express card and made a clone so they could begin the process of stealing. American Express called him to see if he had made some recent charges over 2000 miles from where he resides. None of the charges were his so once again someone will have to spend several hours reviewing various items as well as completing forms to make sure this single credit card was the only affected item for him and his family.
I explained to him as I have so many others what steps he should take to protect potential future problems. File a police report, contact all three major credit bureaus and place a notice at the credit bureaus, and also send a written dispute to American Express. It is nearly impossible for individuals to truly protect themselves from many of the annoyances that come with losing their credit card information. Skimming, Phishing, Pharming, Data breaches, and multiple other ways thieves steal information from unsuspecting parties and companies.
Companies and a number of organizations provide information on what steps individuals should utilize to protect their private information and yet companies require individuals to provide this same information without any assurance that the company will actually be able to protect it. The Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year. Another article shows; No matter what your industry, fraud is a part of it. Did you know that merchants are paying $139 billion annually in fraud losses alone, according to the 2010 LexisNexis True Cost of Fraud Study? This alone should make people wary of any company’s ability or desire to truly protect them and question what companies are really doing to fight fraud or data breaches.
The loss of information by a number of different means is a world wide problem as outline in a recent article; LONDON (AP) — A hacker claims to have compromised the personal information of more than 350,000 users after breaking into a disused website operated by pornography provider Brazzers. A small sample of the hundreds of thousands of pieces of user data allegedly compromised were posted to the Internet earlier this week. Emails, usernames, and encrypted passwords were divulged, and in some cases it was possible to infer porn users’ full names and country of origin.
I review the reports of losses through multiple means on a daily basis. I also review various companies and organizations recommendations on how people should protect themselves from losses and below is just a fraction of what has been recommended for people to do;
• Do not carry a Social Security card.
• Do not give personal information over the phone.
• Do not give checking account or debit card information over the phone.
• Do not leave outgoing mail in a home mailbox.
• Do not respond to e-mail requesting account information.
Companies who accept credit cards for payment of goods or services use a point of sale device to validate the card and authorize the transaction amount. These companies rely on their payment processors and the banks who issue the cards as well as the credit card companies themselves, to validate the card and that the person using the card is making a valid transaction not a fraudulent one.
My question to companies is, with all of these layers of protection that is suppose to protect individuals why are reports like the following still being written; “The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to Global Card Fraud, from a recent issue of The Nilson Report, a respected trade newsletter on the payments industry. Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards. “The U.S. has a disproportionate percentage of the global total losses for two reasons . . . U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.”
How does a company protect their customers and their company information? Can this actually be achieved when the crooks are using some of the best stolen equipment available while the companies are using ‘older’ models because of budget constraints? Companies make do with what they have and crooks make do with the newest equipment they can steal
When will a multi-level multi-dimensional protection system be produced? Systems that utilize accurate purchasing patterns as well as, instant notification of purchases, for the individuals that wish it. An example of an extra layer of protect on credit card or mobile payment that could easily be initiated would be a zip code verification the merchant themselves could utilize with the point of sale device. The first three numbers of the zip code could be placed on the mag strip or other encrypted information captured by the point of sale device. If the three digits are outside of a 100 or even 200 mile radius of where the transactions are taking place the merchant could take one more step to protect the cardholder and them selves from any losses. This would eliminate much of the skimmed information from being transmitted to someone several states away and a card being cloned and use.
People believe that fraud will never happen to them but if it does, it can be expensive and very time consuming attempting to take the necessary actions to undo the long term damage it does. When enough people are affected or the reported losses are high enough governments discuss ways to fight the various problems. Sometimes laws are enacted requiring companies to protect the data of their customers. Many times years may go by before companies comply with these laws. It is sometimes easier to argue against the need for the protection than to invest in protecting the customers’ data.
Reading daily reports, I am reminded how little things have changed in over 10 years when it comes to fighting fraud in this new world of technology advances. Below are two excerpts comprised of the beginning and ending of an article I wrote for a publication in August, 2000.
“Imagine sitting on a full plane on the tarmac, delayed for an hour or more due to weather. How does this relate to a story on Internet Fraud? It reminds us that despite the fact that the world continues to get more sophisticated, we remain at the mercy of intangibles. Despite all their advances, the sophisticated systems of an airline and the high-tech capabilities of the Internet can be beaten by the unanticipated. In the case of the airlines, the unanticipated is the weather. In the case of the Internet, it is the new age thief.”
“As we taxied back to the gate after an hour on the tarmac, I could not help but think that no matter how sophisticated the world and machines have become, we are sometimes stopped by the unexpected and the unwanted. In the case of Internet, it is the new age thieves and other unscrupulous parties that cause problems for companies and individuals trying to adjust to a new way of doing business.”
Thieves, over the last 10 years, have expanded their methods to included attacking nearly every industry. Data theft, Healthcare fraud, Identity theft, and Bank fraud are some of the largest at this time. Year after year losses grow and year after year companies continue fighting all forms of fraud with reactive solutions instead of investing in proactive solutions. When companies become proactive in fraud fighting there will be little need for their customers to worry about someone obtaining their credit data or stealing their identity.

Alvin Cameron

Will online merchants face the same disasters they did last year? Will this be the year that allows online merchants to shine or receive another black eye? Last season merchants did not anticipate the difference between online sales and traditional brick-and-mortar sales. New and first time Internet shoppers were left with a bitter taste.

This year, companies need to fulfill orders they accept and make sure orders are delivered on schedule; consumers will need to shop early. Additionally, precautions should be taken to verify the company does have the merchandise in stock and can deliver on time. If you purchase an original German cuckoo clock, do not order it on two days before the holidays.

Even though the Internet is the easiest place to find hard-to-find items and an easy place to shop, online merchants must take precautions. If you are selling goods via the Internet, someone out there will may try to steal from you. Internet merchants are faced with 12 times more fraudulent activity than their brick-and-mortar counterparts. Consumers should remember simple rules when shopping online.

Consumers should only purchase from secure sites. Make sure review the online merchants’ purchase and return policies. When entering credit information, make sure the site states information is encrypted as it transmitted. Do not be offended or upset with merchants who follow up your order to confirm that you made the order. Be extremely careful never to give any personal information. Legitimate companies will not ask you more than general information to confirm your order. If in doubt, call the company’s customer service number to find out if a standard practice exists before answering any questions. Remember that companies may do this for your protection.

Consumers and online merchants are hopeful for the 2000 holiday season. Never before has there been such an efficient way to shop. Simultaneously, never before has there been an easier way to shoplift. Thieves will not only disrupt the merchant’s ability to fulfill all the holiday orders, but also there will be many unsuspecting credit card holders that have credit information stolen. The majority of thieves have been stealing credit card numbers from the brick-and-mortar stores through skimming and applying for credit in someone else’s name.

Over a year ago, I started writing about fraud and other credit problems the online world was developing.It took some time before anyone starting listening or taking seriously the problems developing.Today, many newspapers and magazines are writing about online fraud and the problems associated with doing business via the Internet.

The Internet is like the old west. Expanding at a breakneck pace with few boundaries. I parallel the Internet and companies new to the online world to another piece of history — the California gold rush.During that time, people from all over the world rushed to find their fortunes. Now companies from all over the world are rushing to drive revenues, and only a select few find their fortunes. Then, like now, only a few will ever obtain the elusive dream. Few will strike it rich, and few will get out with fortunes intact.The dreams of each era are endless. History has shows the perils faced by early dreamers. Only recently, have the real stories of the dangers of the Internet begun to be told.

Just as the men and women of the old west were blinded by the color of gold, so are companies blinded by the new online markets.Companies are forging ahead and purchasing the latest equipment and hiring personnel at high costs.Like the gold miners of yesteryear, the commercial rush to get products on the Internet and begin selling product is blinding the parties to the dangers and costs involved.What happens when the company is open for business?Have they really thought it through?Fulfillment, customer service, returns, and battling the Internet shoplifter.

Many articles estimate e-commerce sales to be somewhere between $2.5 trillion and $5.2 trillion by 2004. Within the next three years, experts are predicting most companies conducting e-business will not survive. This is like someone telling you, “I have good news and bad news.” If you survive to 2004, you could be one of the few companies that become a success story. Success and money.Every company is hoping for success and money when they being selling goods or services over the Internet. The color of the golden sales is blinding and the ease of selling over the Internet has taken many businesses by surprise. However, the danger of failure is great. One article stated doing business over the Internet would require minimal human intervention. However, it did not take long before companies to discover the opposite was true. Companies needed more personnel for customer service, sales problems, handling packaging and the fulfillment and return of merchandise.

The Internet has created more jobs in traditional areas of law enforcement, office equipment sales, fulfillment companies, the list goes on and on. The Internet is like the Industrial Revolution — the start of a new way of life. The use of the Internet has made the world a smaller place. It has brought out the best people have to offer and helped millions obtain goods. Ten years ago, these goods would have been impossible to obtain. It has also brought out the worst in some. Thieves prey on the weak, the small, and the innocent.

Companies and governments are just beginning to fight back. New departments, organizations, and task forces develop daily to combat Internet thieves and scam artists. Many companies are seeking out information to assist in stopping thieves from stealing merchandise. Law enforcement agencies are becoming more involved and knowledgeable about Internet crimes. Since each computer used to surf the Internet leaves a traceable signature, law enforcement and companies are coming together to stop Internet predators. Just as the Internet has grown at tremendous speed, so is the new technology and knowledge needed to track parties using the Internet for illegal activities.

As in the first few years of the gold rush, people have become aware of the risks and the dangers of conducting business via the Internet. Companies and people are taking precautions when buying and selling over the Internet. The golden glitter has lost some of the shine, but the lure of the golden dream is still alive. The traditional process of assuring the sales of merchandise is safe will soon replace the days of rushing to increase sales via e-commerce. Until that day arrives, consumers must take precautions when placing Internet orders. E-commerce merchants need to exceed brick-and-mortar stores traditional ways of treating consumers. If both parties cooperate, the 2000 holiday season should be joyous and profitable.

Al Cameron

In this part I will also examine what takes place when card information is used and systems fail to recognize the obvious.

Every merchant or company that accepts payments by way of the mentioned methods of Credit Cards, Debt Cards, Mobile Payments, and other similar payment methods are assigned into a Merchant Category Code also know as an MCC number. This allows financial institutions to control what type of merchants and products they will accept payments from. Online gaming, which is illegal in the US, has an MCC code of 7995. This allows all US credit card companies to block all transactions from taking place by stopping all transactions that are attempt from merchants assigned to this MCC code. Credit card companies can block other MCC codes for a variety of reasons.

Credit Card companies and credit card issuers place certain risk factors on the various MCC codes. This is done to protect all parties involved from some losses that could take place. Looking at two MCC codes assigned to merchants and companies who provide the same product but in slightly different manner. MCC code 5541 is assigned to Service Stations that dispense fuel and may have stores where goods or services can be purchased. MCC 5542 is assigned to the same or similar merchant or companies that utilize Automated Fuel Dispensers. MCC 5542 will be used if you pay at the pump and MCC 5541 will be used to recognize the transaction as being used inside the store and a point of sale device being used.

Because there is a greater risk of losses for MCC 5542 the Credit Card Company or financial institutions view the fraud scoring of these transactions differently, or at least the should. I have read reports over the years that cards have been attempted to be used at the pump and when they were rejected they were just dropped on the ground. Some reports have listed dozens of cards that were either stolen or cloned being attempted then discarded when it was rejected.

One case study I performed showed several cards had been subject to skimming. After the people checked out of their hotel the cards were used at several pay at the pump sites to steal over fifty thousand dollars ($50,000.00) in fuel over a long four day weekend. This was done by using modified fuel containers. The difficult thing to understand in this case was these cardholders did not live in the state the cards were being used in. The cards had never been previously used for the MCC 5542 code, automated fuel purchase, and as many as five pumps were authorized within 3 minutes at one station, with a single card. Somewhere in the required steps to validate the card for these purchases one of the fraud scoring systems should have “recognized” a potential problem.

When a party uses a piece of financial information to complete a financial transaction by utilizing a credit card, debt card, the new mobile payment method, or any of the multiple ways companies accept payment for their goods or services certain events take place to authorize the payment method. Examine a Credit Card, Debit card or Mobile payment transaction. The information is captured from the item being used to make payment. The captured information is transmitted to that merchants’ or companies payment processor. The payment processor in turn transmits the information to the financial institution or credit card association for validation of the card information. Because a number of parties are involved in the acceptance and approval process for transactions like the ones above it is difficult for cardholders to understand how or why several transactions were allowed to be completed using their financial information.

Losses like the above example take place everyday. This is one of the reasons I believe the current fraud scoring systems need new ways to recognize and fight fraud. Tomorrow I will examine what some of these tools could be.

Al Cameron

In part one of this article, I examined why fraud scoring systems currently could be considered outdated.

The tools and the manner that the thieves use to steal financial data vary and are ever changing. Because most fraud fighting relies on automated checks as outlined in the previous two parts of this article, thieves are able to recognize changes in the fraud systems that are suppose to protect purchases.

Protection needs to start with the cardholder. (I use the term cardholder to describe the person or company whose financial information is being used to make the financial transaction.) Cardholders need to make sure that they keep their financial data safe and report any inconsistencies or problems. Merchants need to be observant when accepting the various payment methods. For most merchants the days of “know you customer” are gone and they only rely on the point of sale terminal to validate the customer. This can and does cause losses for that merchant. Financial institutions and credit card companies must develop line of defense that helps merchants and cardholders protect the transaction by utilizing purchasing patterns of the individual cardholder.

Nearly every fraud or theft case I have reviewed has one thing in common. The cardholder never participated in or made the questionable transaction. They never were physically at the merchant that the transaction(s) were made. They never ordered from the company over the phone or online. They never authorized the card or a purchase or financial information to make a wire. This list and reasons are numerous. After taking the time to review the cardholders’ information and reviewing information from the required sources involved in the transaction the end results are mostly the same, the transaction was fraudulent and someone other than the cardholder has a financial loss. This has resulted in tens of billions of dollars being lost to the thieves.

If credit card companies, financial institutions, and companies with fraud fighting systems would consider utilizing a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies, this could reduce not only losses but the tens of thousand of hours spent by companies yearly in trying to resolve fraudulent transactions.

This system needs to use the granular information gathered when a financial transaction is being conducted and a comparison against all the transactions performed by the individual cardholder or company. This can be achieved by the use of many of the same current rules currently used, as well as adapting some of the current rules to recognize individual cardholder’s transactions. New rules could easily be developed for specific companies and individual transactions. Reviewing transactions to determine if the financial data used by the cardholder was ever used at the assigned MCC code, (Merchant Category Code) as well as if the cardholder made any financial transactions at that merchant, at a similar merchant, in that city, in that state, or ever in that country. Cardholders and companies make the same or very similar transactions over a period of time and yet this information is not used to its full potential.

In 2001 I wrote about trying to use a multi-level system to address the problem of fraud. Ever since this time I have used this to evaluate various systems to help companies reduce fraud losses. In time I understood that in order to address the need of the many types of companies that were suffering from losses this system needed to be multi-dimensional. Helping a company or financial institution reduce not only the losses they suffer but the amount of time they need to spend trying to recover those losses is paramount in reducing the overall losses and stopping the thieves. In order to reduce the manual needs of fraud fighting, as well as account for purchases by cardholders and companies outside of their normal purchasing patterns, an automated secondary system for anomalies is needed and this can be also automated to handle the acceptance of purchases as well as develop the high degree of protection needed.

Protection for the future will require an overhaul of the current fraud system processes. Protecting the Cardholder, Merchants, Financial Institutions, and Credit Card companies from the ever increasing monetary losses and from the ever persistent ways thieves steal a granular approach to fraud fighting should be implemented. I have taught many people to review data as follows, “What’s wrong with this picture” and “If it does not look right it probably isn’t”. Automation of these two statements could go far in reducing losses and increasing profits.

Al Cameron

The short answer falls somewhere between yes and their ability to make accurate predictions are prehistoric. Fraud scoring systems that companies employ to judge whether an order should be accepted, or rejected, or should be manually review before accepting or rejecting are in need of major overhauls, in my opinion.

Nearly every report or whitepaper I have read, or webinar I have listened to, over the last decade detail the same or similar rules being used to make judgment on the ordering information and fraud fighting techniques. Some of the standard verifications used by these systems and the companies try to protect are; is the billing address the same as the shipping address, is the card bin number from a high fraud country, is the amount of the order average to the overall companies order average, does the area code of the party ordering match the area the order is placed from, is the area code a valid area code, is the email address considered risky i.e.; a free web based email address, is the IP address a proxy server or some other IP address that is considered high risk.

Examine why I consider many of the rules are outdated and ineffective in the current fraud fighting systems companies employ.
Area code matching; we are a mobile society and with a mobile phone people can live in Los Angeles, CA and their mobile phone can have a New York Area code.
IP validation; many people use proxy servers or their work computers to order which in many cases gives false/positive results to fraud scoring systems.
Use of free web based email addresses; in 1999 and 2000 many starting companies refused to take orders from these email addresses. Today the vast majority of people around the world have one or more of these email addresses.
Bin number verification; financial institutions are constantly changing or adding bin numbers to their products and unless the fraud scoring system is able to obtain every current bin number added or subtracted from the world financial system the results are multiple false/positives. This can result in good orders being automatically rejected as well as orders that should be rejected being accepted.

There may be a need to validate only a few verifications approving the order or there may be several hundred verifications needed. If a fraud scoring system has several hundred rules employed to validate an order there is a greater chance many of these rules also having flaws that may block valid orders and fulfill orders that are placed by thieves and should be rejected.

I have examined a number of companies that have added new rules to try and thwart the thieves and reduce losses for the company. Because these basic scoring systems have been used by most companies for several years, the thieves know how to “beat” most systems by providing ordering information many systems place in the accept category. This is one of the reasons why billions of dollars each year are being lost.

Current fraud scoring systems are developed to help companies reduce their losses which does little to protect individuals. Efforts are need to start understanding an individual shopper’s behavior and purchasing patterns and start protecting that one shopper experience and the payment method that single shopper uses.

In the next part of this series I will examine what takes place when card information is used and systems fail to recognize the obvious.

Al Cameron

Imagine sitting on a full plane on the tarmac, delayed for an hour or more due to weather. How does this relate to a story on Internet Credit Fraud? It reminds us that despite the fact that the world continues to get more sophisticated, we remain at the mercy of intangibles. Despite all their advances, the sophisticated systems of an airline and the high-tech capabilities of the Internet can be beaten by the unanticipated. In the case of the airlines, the unanticipated is the weather. In the case of the Internet, it is the new age thief.

The Internet is changing the way we do business. The speed and wonder of the Internet have replaced traditional selling methods as well as the ability to steal identities and other personal information. As a result, loss prevention has taken on a completely new meaning. Worldwide attacks on companies and computers are an everyday threat. No longer is it necessary for a thief to come to your company’s building to steal from or harm your business. With the help of the Internet, today’s new age thieves can get your company to deliver goods to an incorrect address of their choosing. Soon there will be no need for those thieves to fence their ill-gotten goods in dark alleys or smoky backrooms. Most of the stolen items will be sold through a public auction site or in specialized chat rooms. Until more secure verification techniques are enabled, making an Internet purchase is as easy as obtaining credit over the Internet. The process is simple. Using someone else’s credit or personal information. Obtaining a credit line as someone else and thieves can start ordering the things they wish to steal. Total time needed — less than five minutes.

Most businesses naively believe there is little risk involved in pursuing sales in a business-to-business (B2B) environment. I, on the other hand, am waiting for the first breaking news story that reports someone has stolen thousands of tires, batteries, or even engines from a B2B merchant. New age thieves can order a boxcar full of lumber and have it delivered to a location of their choice with little more than stolen documents and some convincing credit information. Although business-to-consumer (B2C) sales have a slightly higher loss rate than B2B sales, the higher price merchandise is found in B2B. I strongly disagree with people who believe that the risk to companies doing B2B is negligible. Whether your company is developing a B2B or B2C strategy, it must remember to take the proper security measures to protect its e-commerce investments. If new B2B companies do not believe Internet theft really happens, the best evidence I can give them is the stolen cars hidden in shipping containers at the docks.

History tells us if you sell it or have it, someone else may try to steal it. Today’s Internet thieves come from all walks of life. Although Internet thieves may believe their actions are harmless, many will face grave consequences because companies and law enforcement agencies worldwide are concentrating on stopping Internet crimes.

If your company is considering selling products or providing goods via the Internet, someone must make sure that there are enough tools and training opportunities in place to protect and assist your company in the apprehension and prosecution of Internet thieves. Loss prevention specialists with Internet expertise are very rare. Where will this new breed of employee come from? If your company employs loss prevention specialists for brick and mortar protection, have them start learning what the Internet is and how it might affect your company’s losses. If your company does not employ loss prevention specialists, I suggest they use the best department for protecting their assets and accounts — the credit department. In most companies, this department is one of the most unappreciated departments. From the directors of credit to the newly trained credit specialists, their ability and desire to protect company assets is uncanny.

I have read articles stating the credit manager’s future role will not only diminish, but completely disappear. This is a complete waste of some of a company’s best talent. These individuals were taught to ask the tough questions and make the hard decisions. When working with the Internet, the questions are tougher to answer and the decisions are more difficult to make. Credit managers have the knowledge to look beyond the sale of goods and services. Credit managers look at protecting the sale. The skills needed to protect Internet sales are just now being developed. Old traditional ways of verifying credit will be but a memory in the next few years. High-speed approvals mean higher risks for companies. Credit managers who adapt to the changes the Internet is bringing will become invaluable resources for their companies. Even the largest companies with their own loss prevention departments will need the expertise of their credit departments when pursuing Internet sales. Never before has there been a greater need to combine the expertise of granting credit and preventing loss than when doing business on the Internet.

The e-commerce sales explosion has created a need to do traditional jobs in new ways. Because of this, credit managers and loss prevention specialists who wish to invest the time and effort to re-educate themselves can be at the forefront of a new generation of employees that companies will employ.

Regardless of whether or not your company pays for training or advanced education, the time to start learning is now. If you have a computer at home, start exploring the Internet for fraud related sites. Unfortunately, there are no books to assist you. Instead, subscribe to free newsletters to get up to the minute reports on all the different types of fraud and Internet security problems taking place around the world. Your employer may allow you time each day to navigate the Internet and keep current with the latest news. Staying informed on Internet news takes about an hour a day. The time you invest in learning about Internet security will save your company much more than the wages they are paying on. Take as many seminars as you are able to find. Not only are the seminars on Internet fraud insightful, but they also provide an invaluable opportunity to network with other Internet specialists.

One of the greatest difficulties in managing Internet Security is un-learning the way credit and loss prevention have been done in the past. Remember that new age thieves are now working at the speed of the Internet and you must adjust your credit and loss prevention departments to anticipate the moves they make. Although your company will not be able to stop all the attempts at Internet theft, you can make it more difficult for the thieves. Once your company has taken the appropriate steps to improve Internet security, your job will be easy.

As we taxied back to the gate after an hour on the tarmac, I could not help but think that no matter how sophisticated the world and machines have become, we are sometimes stopped by the unexpected and the unwanted. In the case of Internet, it is the new age thieves and other scrupulous parties that cause problems for companies and individuals trying to adjust to a new way of doing business.

Al Cameron

In December 1999, the Wall Street Journal ran an article about generals, admirals, and other military personnel who experienced identity theft and fraud. An invisible party was able to secure enough information to obtain credit cards in the names of these unsuspecting individuals. In turn, this thief ordered thousands of dollars in merchandise with these fraudulent new cards. To make matters worse, this party used the Internet to inform other online thieves how they could steal using this technique. Twelve years later the only thing that has changed is the magnitude of people that are subject to having their identity stolen and the number of attacks companies are suffering. Losses have multiplied many fold since these early days.

Recent history has shown that almost nothing can be completely protected. According to daily articles and reports companies have lost millions of pieces of data to hackers and thieves. Payment processors have had malicious code unknowingly placed on their system that has given the thieves the ability to steal millions of more pieces of personal data. Medical facilities, government agencies, third party email providers, as well as companies and merchants of every type are subject attacks by hackers and thieves from around the world. Sharing information and programs on how to steal data is readily available

Losses and the cost for companies and consumers involved are in the billions of dollars. The easier you make it for people to pay for something without proper controls the easier it is for the thieves to steal and use that same information and techniques. The fine line is how all companies can make it non-intrusive for their customers to purchase the goods or services that are being sold but recognize the non legitimate customers. The more control you require a purchaser to participate in, the less likely they will use that payment method or purchase goods or services from a company.

I believe fraud and data protection systems need to be developed with more granular level reviews, or losses will continue to increase.

Every day thieves are able to gain valuable data from an assortment of different company’s. This is done when someone mistakenly clicks on a link in a phishing email message, they or their company receives. This action can install various types of malware that allows access to a company’s system. Some company’s and institutions have unscrupulous or disgruntled employee’s that help the thieves with obtaining the needed information to steal data. Hackers use a number of other proven ways to break into systems and gain access to sensitive data. Security software can only protect from known problems not from new viruses or intrusion programs the thieves are continually developing or adapting.

Examine two ways of how a simple mistake can lead to devastating results for the companies involved. The first case will examine ACH losses and in the second portion , I will address a similar type of problem that is little known and gets little if any press but is perpetrated against one of the most vital industries in the world.

Many cases of ACH fraud happen when an employee or company receives a phishing or similar type of email and someone attempts to view the contents of the email. There have been a number of these emails that use enticing titles to make a party curious enough to view the contents, while other emails look like legitimate business correspondence. Once opened or viewed the attachment or link will install a malware program that now allows the thieves to view or receive information that can lead to losses. Obtaining account numbers and passwords is the main goal and will now allow the perpetrator to pretend to be an employee and give the thief the ability to use this information to steal in a number of different ways. Bank wires, payroll, and paying bogus companies for services not performed.

Few companies or individuals understand that banking rules for companies differ from individuals in the amount of time they have to report possible fraudulent ACH transactions. Banking rules allow only 2 days for companies but up to 60 days for individuals. It is imperative for companies to take steps to protect a company’s information from even simple mistakes that can be made.

The simplest way to do this is to have a separate system or laptop that only contains the information and ability to receive and send financial information. This system or laptop should not have direct internet access or have the ability to receive emails or use programs that do not relate specifically to handling the company’s financial needs. This system should be locked up, in the case of a laptop, and locked down in case of a larger system when not directly being used by authorized personnel for financial transactions.

The minor cost in taking these steps can save any company or organization time and money.

The trucking industry is subject to a number of different fraud scenarios but the focus will be mainly on what might be the most lucrative. Trucking firms can be a one-man operation or a large company with hundreds of trucks that travels both locally, across nation, and even international borders. There are logistic companies that provide financial and other business services to help the trucking industry. Fuel cards, brand national credit cards, as well as other payment methods to assist drivers and companies to concentrate on the job of driving and delivering of loads of the goods they carry. Most trucking logistics companies have agreements with many merchants, nationwide, that provide fuel and other necessities needed by trucking companies and truckers.

Like any business that may provide a financial gain for a thief, the trucking industry also provides areas for the thieves to attempt data theft as well as fraudulent scams. I do not minimize the misuse of credit card information or other types of retail type fraud suffered by trucking firms. I will concentrate on the fraudulent cashing of drafts or draft information provided to trucking companies. This manner of payment is used so truckers and their families have quick access to ready cash in order to pay for repairs and other needed items. A draft has characteristics of a banks counter-check but the main difference is when the proper sequence of numbers and information is given verbally to an authorized merchant, cash can be received or used to pay for services.

What is required is either a generic draft be properly filled in or just a cash register receipt to be printed and signed. Cash if requested could be given to the “driver” up to the limit of requested authorized draft amount or set merchant limit. Unlike a counter-check when a “draft” amount is originally authorized for a specific amount the required cashing sequence of information can be shared with a number of people and each of these parties are able to cash their portion of the draft. (IE; a ‘draft’ amount is authorized for $3000, 6 parties could each cash $500 at one establishment or multiple establishments in the same city or across the nation.) As in other types of losses, when a phishing scheme or data loss is perpetrated and the thieves gain the needed information to authorize ‘draft’ amounts this information can be relayed to parties all over the country by mobile phones and losses can occur within minutes.

The strength of the data protection system as well as the available fraud system utilized by each of the parties mentioned above needs to become a priority. Protection systems must understand individual purchasing behavior not general purchasing patterns in order to properly protect all involved from losses. When two or more parties have become victims by thieves utilizing a similar or the same type of fraudulent scams, then the responsibility is to find a way protect the customer by knowing the customer and must be addressed by all parties involved.

The question is who should be responsible for the losses, the merchant, the logistics company, or should the trucking company. Unfortunately like most theft the company that was the victim will normally suffer the losses.

It is imperative for companies and institutions to take the next step in data and fraud protection. Every day articles are written about data being lost and identity theft taking place. If a company or organization has their system compromised only then do they begin to strengthen their procedures to make sure this does not happen again. Unfortunately, reports show that there are a number of companies that took what they thought were enough steps to stop future data intrusions from happening but had more intrusions that resulted in more data being stolen, even after new procedures were put in place.

Systems need to be protected from not only the outside threats but inside mistakes. Protection for the company or institution is a lower priority than providing the necessary personal and funding to develop and promote the core of the business the company is in. Attempting to develop a quick fix after your company has been attacked or data lost only serves to show that protecting a customers’ information was not the priority it should have been.

Consideration should be given to utilizing a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies. The secondary system should allow for unrecognized transactions for that company or person. This new type of system would give increased advantages in stopping fraudulent transactions over the standard fraud system. This type of system could also better serve to protection multiple types of companies and individuals as well as recognizing the good customer from even the most sophisticate thief attempting theft.

Data protection methods vary by company or organization but I would recommend a daily high level review and a weekly lower level review as well as a full review every two to four weeks. PCI guidelines recommend that reviews or audits be done quarterly but with the number of data breaches reported happening worldwide companies should consider more frequent system reviews. Proper automated review could save a company from breaches that can be costly on many different levels.

There are a number of articles and blogs that attempt to explain what to do to protect a system from data breaches. There are also a number of companies currently offering software packages for a company to use in order to protect a system against data breaches as well as software that attempt to identify fraudulent transactions. Many companies believe that the software programs and other automated steps they take to protect the data in their system can also protect this data from fraudulent use. This is far from the actual fact.

Because companies and institutions vary greatly in not only how they attempt to protect the data of their company and the data their customers trust them with, software never really addresses individual customer protection needs. Protection software is built to protect the company storing the data that was entrusted to them What is needed are programs that work together and are able to provide data protect as well as notify the affected company and individual of any real and potential fraudulent attempts the lost data may be used for.

Like organizations have similar needs but they also have individual needs and requirements that are rarely, if ever, built into the average software protection packages. Companies selling protection software will try to adapt the software program to address a company’s’ individual needs but many times it can be too expensive or is just not feasible to change the software program in the manner that would best protect the individual company and their customers’ needs. This is what the thieves and hackers know and count on. Once a software program is understood by these unscrupulous people let the theft begin and the profits for the thieves increase. Until there is a proper mix of data protection software to the fraud protection software that addresses the intrusion to a company’s system, data losses and fraudulent attempts, will continue to result in losses for companies and institutions in the billions of dollars. A report entitled the True Cost of Fraud Study by LexisNexis in 2009 stated that merchants were paying 100 Billion in fraud losses and related charges to these fraudulent transactions.

If data is lost through a compromise directly from the company or from third party vendors doing business with the company, it is crucial this information be immediately available and used in protecting the consumer, company, and worldwide merchants from losses. Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.

A flaw that I have unfortunately seen a number of times when I have reviewed the security of systems, are systems that are not “locked down”. Locking down a system to an individual as well as locking that individuals access to sensitive data to a single work station will not only protect the company but will protect every employee. Companies have asked “what about shared computers” as many companies or institutions currently employ to save money. Locking down a system in a prescribed manner requires a person’s access to sensitive data be controlled by not only recognizing the parties’ passwords but also a stations distinctive address. This does not mean that a party could not use another work station but by locking a system to the individual’s level of sensitive data permission to a single station, it would also restrict the level of information that could be viewed at a different work station.

A review of personal items that should be allowed to be accessed during work hours should also be a priority to companies. Cell phones are capable of taking and transmitting pictures around the world in just a few seconds. What might look like someone making a call could really be someone transmitting pictures of sensitive data. Ipods are storage devices and if proper detection software for items being plug into a system is not in place large quantities of data can be lost. This is also true with USB devices that are small and hard to detect.

Access to customers’ sensitive data should never be allowed outside of the company. This includes allowing laptops or other storage devices to be taken out of the office if this information is stored on the device. A number of reports have indicated the loss of these devices and the information contained on them. If access is needed outside of the companies or institutions location then an external lockdown procedure similar to the internal procedure should be required. These external sites should also be monitored by internal personnel and special login procedures as well as a secondary validation procedure put in place each time the external system is utilized.

Not taking steps beyond using current software and personnel to try and protect a company’s data from being stolen and the potential that information could be used for fraud has resulted in hundreds of millions of people to be affected. A data intrusion can be devastation to a company’s bottom line so investing in someone to suggest a few extra steps of protection can in fact save a company time and money.

Examining how to protect your business data and your customers’ information requires looking beyond normal operating procedures companies employ. Protecting sales with a variety of procedures is paramount to protecting not only your company reputation and sales but the customers’ data. The problem, I see, with last minute measures being taken by the companies and organizations is that the efforts are trying to give two-dimensional protection in a three-dimensional world.

The best explanation I can come up with to explain my version of two-dimensional protection is, many companies are still using systems developed over the last few decades, to protect parties known to the company or that have a relationship with the company. Our new three-dimensional world now allows buyers to be completely anonymous but the buyer may use any identity that they wish to and you as the company need to just take their word for it or risk upsetting a potentially good customer. It use to be buyer beware, today’s world is turning into company beware

Companies should consider the following. Companies should store personal and sensitive data on a system separate from the system(s) that are accessible or used by parties outside the organization or normal internet use by company personal in their daily duties. This secondary system should have lockdown procedures to only allow transfer of sensitive or personal data to the system, not from the system except to authorized personnel within the company. The lockdown should also restrict the authorized personnel to access this information on separate system(s) that is not directly or indirectly connected to any outside system. Protection programs utilized by these systems need to recognize protecting the individual purchasing patterns and not a general review of information that is deemed “looks like it is safe”.

Consumers and companies also need to take steps to protect themselves and should request automatic notification updates from the various financial institutions and credit card companies they may use. Request when accounts are logged on as well as when purchases or other transactions are above specific amounts or outside of the normal purchasing patterns. For some parties this may involve receiving a number of notifications per day and my recommendation is not to just glance at them or ignore them. If the financial institution and credit card company is unable to supply this information to you to protect you then consider either changing to another company or minimizing use of them.

Fraud and data protection is a process that companies believe they are properly investing in until a loss occurs. Because of the many high profile losses more attention has been given to making systems safer. Unfortunately data losses are still happening daily and some losses are happening to the same companies multiple times.

The goal needs to be making the process and software program protect at a more granular level that does not affect the party making the purchase but still has an extremely high level of fraud and data protection. As previously stated in this series, Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.

Al Cameron

Examining how to protect your business data and your customers’ information requires looking beyond normal operating procedures companies employ. Protecting sales with a variety of procedures is paramount to protecting not only your company reputation and sales but the customers’ data. The problem, I see, with last minute measures being taken by the companies and organizations is that the efforts are trying to give two-dimensional protection in a three-dimensional world.

The best explanation I can come up with to explain my version of two-dimensional protection is, many companies are still using systems developed over the last few decades, to protect parties known to the company or that have a relationship with the company. Our new three-dimensional world now allows buyers to be completely anonymous but the buyer may use any identity that they wish to and you as the company need to just take their word for it or risk upsetting a potentially good customer. It use to be buyer beware, today’s world is turning into company beware

Companies should consider the following. Companies should store personal and sensitive data on a system separate from the system(s) that are accessible or used by parties outside the organization or normal internet use by company personal in their daily duties. This secondary system should have lockdown procedures to only allow transfer of sensitive or personal data to the system, not from the system except to authorized personnel within the company. The lockdown should also restrict the authorized personnel to access this information on separate system(s) that is not directly or indirectly connected to any outside system. Protection programs utilized by these systems need to recognize protecting the individual purchasing patterns and not a general review of information that is deemed “looks like it is safe”.

Consumers and companies also need to take steps to protect themselves and should request automatic notification updates from the various financial institutions and credit card companies they may use. Request when accounts are logged on as well as when purchases or other transactions are above specific amounts or outside of the normal purchasing patterns. For some parties this may involve receiving a number of notifications per day and my recommendation is not to just glance at them or ignore them. If the financial institution and credit card company is unable to supply this information to you to protect you then consider either changing to another company or minimizing use of them.

Fraud and data protection is a process that companies believe they are properly investing in until a loss occurs. Because of the many high profile losses more attention has been given to making systems safer. Unfortunately data losses are still happening daily and some losses are happening to the same companies multiple times.

The goal needs to be making the process and software program protect at a more granular level that does not affect the party making the purchase but still has an extremely high level of fraud and data protection. As previously stated in this series, Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.

Al Cameron
612-367-7679

A flaw that I have unfortunately seen a number of times when I have reviewed the security of systems, are systems that are not “locked down”. Locking down a system to an individual as well as locking that individuals access to sensitive data to a single work station will not only protect the company but will protect every employee. Companies have asked “what about shared computers” as many companies or institutions currently employ to save money. Locking down a system in a prescribed manner requires a person’s access to sensitive data be controlled by not only recognizing the parties’ passwords but also a stations distinctive address. This does not mean that a party could not use another work station but by locking a system to the individual’s level of sensitive data permission to a single station, it would also restrict the level of information that could be viewed at a different work station.

A review of personal items that should be allowed to be accessed during work hours should also be a priority to companies. Cell phones are capable of taking and transmitting pictures around the world in just a few seconds. What might look like someone making a call could really be someone transmitting pictures of sensitive data. Ipods are storage devices and if proper detection software for items being plug into a system is not in place large quantities of data can be lost. This is also true with USB devices that are small and hard to detect.

Access to customers’ sensitive data should never be allowed outside of the company. This includes allowing laptops or other storage devices to be taken out of the office if this information is stored on the device. A number of reports have indicated the loss of these devices and the information contained on them. If access is needed outside of the companies or institutions location then an external lockdown procedure similar to the internal procedure should be required. These external sites should also be monitored by internal personnel and special login procedures as well as a secondary validation procedure put in place each time the external system is utilized.

Not taking steps beyond using current software and personnel to try and protect a company’s data from being stolen and the potential that information could be used for fraud has resulted in hundreds of millions of people to be affected. A data intrusion can be devastation to a company’s bottom line so investing in someone to suggest a few extra steps of protection can in fact save a company time and money.

Part 7 Tomorrow.

Al Cameron