In December 1999, the Wall Street Journal ran an article about generals, admirals, and other military personnel who experienced identity theft and fraud. An invisible party was able to secure enough information to obtain credit cards in the names of these unsuspecting individuals. In turn, this thief ordered thousands of dollars in merchandise with these fraudulent new cards. To make matters worse, this party used the Internet to inform other online thieves how they could steal using this technique. Twelve years later the only thing that has changed is the magnitude of people that are subject to having their identity stolen and the number of attacks companies are suffering. Losses have multiplied many fold since these early days.
Recent history has shown that almost nothing can be completely protected. According to daily articles and reports companies have lost millions of pieces of data to hackers and thieves. Payment processors have had malicious code unknowingly placed on their system that has given the thieves the ability to steal millions of more pieces of personal data. Medical facilities, government agencies, third party email providers, as well as companies and merchants of every type are subject attacks by hackers and thieves from around the world. Sharing information and programs on how to steal data is readily available
Losses and the cost for companies and consumers involved are in the billions of dollars. The easier you make it for people to pay for something without proper controls the easier it is for the thieves to steal and use that same information and techniques. The fine line is how all companies can make it non-intrusive for their customers to purchase the goods or services that are being sold but recognize the non legitimate customers. The more control you require a purchaser to participate in, the less likely they will use that payment method or purchase goods or services from a company.
I believe fraud and data protection systems need to be developed with more granular level reviews, or losses will continue to increase.
Every day thieves are able to gain valuable data from an assortment of different company’s. This is done when someone mistakenly clicks on a link in a phishing email message, they or their company receives. This action can install various types of malware that allows access to a company’s system. Some company’s and institutions have unscrupulous or disgruntled employee’s that help the thieves with obtaining the needed information to steal data. Hackers use a number of other proven ways to break into systems and gain access to sensitive data. Security software can only protect from known problems not from new viruses or intrusion programs the thieves are continually developing or adapting.
Examine two ways of how a simple mistake can lead to devastating results for the companies involved. The first case will examine ACH losses and in the second portion , I will address a similar type of problem that is little known and gets little if any press but is perpetrated against one of the most vital industries in the world.
Many cases of ACH fraud happen when an employee or company receives a phishing or similar type of email and someone attempts to view the contents of the email. There have been a number of these emails that use enticing titles to make a party curious enough to view the contents, while other emails look like legitimate business correspondence. Once opened or viewed the attachment or link will install a malware program that now allows the thieves to view or receive information that can lead to losses. Obtaining account numbers and passwords is the main goal and will now allow the perpetrator to pretend to be an employee and give the thief the ability to use this information to steal in a number of different ways. Bank wires, payroll, and paying bogus companies for services not performed.
Few companies or individuals understand that banking rules for companies differ from individuals in the amount of time they have to report possible fraudulent ACH transactions. Banking rules allow only 2 days for companies but up to 60 days for individuals. It is imperative for companies to take steps to protect a company’s information from even simple mistakes that can be made.
The simplest way to do this is to have a separate system or laptop that only contains the information and ability to receive and send financial information. This system or laptop should not have direct internet access or have the ability to receive emails or use programs that do not relate specifically to handling the company’s financial needs. This system should be locked up, in the case of a laptop, and locked down in case of a larger system when not directly being used by authorized personnel for financial transactions.
The minor cost in taking these steps can save any company or organization time and money.
The trucking industry is subject to a number of different fraud scenarios but the focus will be mainly on what might be the most lucrative. Trucking firms can be a one-man operation or a large company with hundreds of trucks that travels both locally, across nation, and even international borders. There are logistic companies that provide financial and other business services to help the trucking industry. Fuel cards, brand national credit cards, as well as other payment methods to assist drivers and companies to concentrate on the job of driving and delivering of loads of the goods they carry. Most trucking logistics companies have agreements with many merchants, nationwide, that provide fuel and other necessities needed by trucking companies and truckers.
Like any business that may provide a financial gain for a thief, the trucking industry also provides areas for the thieves to attempt data theft as well as fraudulent scams. I do not minimize the misuse of credit card information or other types of retail type fraud suffered by trucking firms. I will concentrate on the fraudulent cashing of drafts or draft information provided to trucking companies. This manner of payment is used so truckers and their families have quick access to ready cash in order to pay for repairs and other needed items. A draft has characteristics of a banks counter-check but the main difference is when the proper sequence of numbers and information is given verbally to an authorized merchant, cash can be received or used to pay for services.
What is required is either a generic draft be properly filled in or just a cash register receipt to be printed and signed. Cash if requested could be given to the “driver” up to the limit of requested authorized draft amount or set merchant limit. Unlike a counter-check when a “draft” amount is originally authorized for a specific amount the required cashing sequence of information can be shared with a number of people and each of these parties are able to cash their portion of the draft. (IE; a ‘draft’ amount is authorized for $3000, 6 parties could each cash $500 at one establishment or multiple establishments in the same city or across the nation.) As in other types of losses, when a phishing scheme or data loss is perpetrated and the thieves gain the needed information to authorize ‘draft’ amounts this information can be relayed to parties all over the country by mobile phones and losses can occur within minutes.
The strength of the data protection system as well as the available fraud system utilized by each of the parties mentioned above needs to become a priority. Protection systems must understand individual purchasing behavior not general purchasing patterns in order to properly protect all involved from losses. When two or more parties have become victims by thieves utilizing a similar or the same type of fraudulent scams, then the responsibility is to find a way protect the customer by knowing the customer and must be addressed by all parties involved.
The question is who should be responsible for the losses, the merchant, the logistics company, or should the trucking company. Unfortunately like most theft the company that was the victim will normally suffer the losses.
It is imperative for companies and institutions to take the next step in data and fraud protection. Every day articles are written about data being lost and identity theft taking place. If a company or organization has their system compromised only then do they begin to strengthen their procedures to make sure this does not happen again. Unfortunately, reports show that there are a number of companies that took what they thought were enough steps to stop future data intrusions from happening but had more intrusions that resulted in more data being stolen, even after new procedures were put in place.
Systems need to be protected from not only the outside threats but inside mistakes. Protection for the company or institution is a lower priority than providing the necessary personal and funding to develop and promote the core of the business the company is in. Attempting to develop a quick fix after your company has been attacked or data lost only serves to show that protecting a customers’ information was not the priority it should have been.
Consideration should be given to utilizing a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies. The secondary system should allow for unrecognized transactions for that company or person. This new type of system would give increased advantages in stopping fraudulent transactions over the standard fraud system. This type of system could also better serve to protection multiple types of companies and individuals as well as recognizing the good customer from even the most sophisticate thief attempting theft.
Data protection methods vary by company or organization but I would recommend a daily high level review and a weekly lower level review as well as a full review every two to four weeks. PCI guidelines recommend that reviews or audits be done quarterly but with the number of data breaches reported happening worldwide companies should consider more frequent system reviews. Proper automated review could save a company from breaches that can be costly on many different levels.
There are a number of articles and blogs that attempt to explain what to do to protect a system from data breaches. There are also a number of companies currently offering software packages for a company to use in order to protect a system against data breaches as well as software that attempt to identify fraudulent transactions. Many companies believe that the software programs and other automated steps they take to protect the data in their system can also protect this data from fraudulent use. This is far from the actual fact.
Because companies and institutions vary greatly in not only how they attempt to protect the data of their company and the data their customers trust them with, software never really addresses individual customer protection needs. Protection software is built to protect the company storing the data that was entrusted to them What is needed are programs that work together and are able to provide data protect as well as notify the affected company and individual of any real and potential fraudulent attempts the lost data may be used for.
Like organizations have similar needs but they also have individual needs and requirements that are rarely, if ever, built into the average software protection packages. Companies selling protection software will try to adapt the software program to address a company’s’ individual needs but many times it can be too expensive or is just not feasible to change the software program in the manner that would best protect the individual company and their customers’ needs. This is what the thieves and hackers know and count on. Once a software program is understood by these unscrupulous people let the theft begin and the profits for the thieves increase. Until there is a proper mix of data protection software to the fraud protection software that addresses the intrusion to a company’s system, data losses and fraudulent attempts, will continue to result in losses for companies and institutions in the billions of dollars. A report entitled the True Cost of Fraud Study by LexisNexis in 2009 stated that merchants were paying 100 Billion in fraud losses and related charges to these fraudulent transactions.
If data is lost through a compromise directly from the company or from third party vendors doing business with the company, it is crucial this information be immediately available and used in protecting the consumer, company, and worldwide merchants from losses. Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.
A flaw that I have unfortunately seen a number of times when I have reviewed the security of systems, are systems that are not “locked down”. Locking down a system to an individual as well as locking that individuals access to sensitive data to a single work station will not only protect the company but will protect every employee. Companies have asked “what about shared computers” as many companies or institutions currently employ to save money. Locking down a system in a prescribed manner requires a person’s access to sensitive data be controlled by not only recognizing the parties’ passwords but also a stations distinctive address. This does not mean that a party could not use another work station but by locking a system to the individual’s level of sensitive data permission to a single station, it would also restrict the level of information that could be viewed at a different work station.
A review of personal items that should be allowed to be accessed during work hours should also be a priority to companies. Cell phones are capable of taking and transmitting pictures around the world in just a few seconds. What might look like someone making a call could really be someone transmitting pictures of sensitive data. Ipods are storage devices and if proper detection software for items being plug into a system is not in place large quantities of data can be lost. This is also true with USB devices that are small and hard to detect.
Access to customers’ sensitive data should never be allowed outside of the company. This includes allowing laptops or other storage devices to be taken out of the office if this information is stored on the device. A number of reports have indicated the loss of these devices and the information contained on them. If access is needed outside of the companies or institutions location then an external lockdown procedure similar to the internal procedure should be required. These external sites should also be monitored by internal personnel and special login procedures as well as a secondary validation procedure put in place each time the external system is utilized.
Not taking steps beyond using current software and personnel to try and protect a company’s data from being stolen and the potential that information could be used for fraud has resulted in hundreds of millions of people to be affected. A data intrusion can be devastation to a company’s bottom line so investing in someone to suggest a few extra steps of protection can in fact save a company time and money.
Examining how to protect your business data and your customers’ information requires looking beyond normal operating procedures companies employ. Protecting sales with a variety of procedures is paramount to protecting not only your company reputation and sales but the customers’ data. The problem, I see, with last minute measures being taken by the companies and organizations is that the efforts are trying to give two-dimensional protection in a three-dimensional world.
The best explanation I can come up with to explain my version of two-dimensional protection is, many companies are still using systems developed over the last few decades, to protect parties known to the company or that have a relationship with the company. Our new three-dimensional world now allows buyers to be completely anonymous but the buyer may use any identity that they wish to and you as the company need to just take their word for it or risk upsetting a potentially good customer. It use to be buyer beware, today’s world is turning into company beware
Companies should consider the following. Companies should store personal and sensitive data on a system separate from the system(s) that are accessible or used by parties outside the organization or normal internet use by company personal in their daily duties. This secondary system should have lockdown procedures to only allow transfer of sensitive or personal data to the system, not from the system except to authorized personnel within the company. The lockdown should also restrict the authorized personnel to access this information on separate system(s) that is not directly or indirectly connected to any outside system. Protection programs utilized by these systems need to recognize protecting the individual purchasing patterns and not a general review of information that is deemed “looks like it is safe”.
Consumers and companies also need to take steps to protect themselves and should request automatic notification updates from the various financial institutions and credit card companies they may use. Request when accounts are logged on as well as when purchases or other transactions are above specific amounts or outside of the normal purchasing patterns. For some parties this may involve receiving a number of notifications per day and my recommendation is not to just glance at them or ignore them. If the financial institution and credit card company is unable to supply this information to you to protect you then consider either changing to another company or minimizing use of them.
Fraud and data protection is a process that companies believe they are properly investing in until a loss occurs. Because of the many high profile losses more attention has been given to making systems safer. Unfortunately data losses are still happening daily and some losses are happening to the same companies multiple times.
The goal needs to be making the process and software program protect at a more granular level that does not affect the party making the purchase but still has an extremely high level of fraud and data protection. As previously stated in this series, Utilization of a multi-level and multi-dimensional system that also utilizes an automated secondary system for anomalies in recognizing separate transactions has increased advantages in stopping fraudulent transactions especially after a breach has occurred.
Al Cameron