Backup Anytime

12 Serious data theft breach area you must take control off if you use card payment services.

1. Wireless networks. As pointed out by Tom from databackupie in his comment on our post about the Irish card payment system scam on the weekend of 16th and 17th of August, wireless networks are rarely adequately secured and very easily breached. The popularity of a small number of broadband providers can make hacking their clients an easily replicated job once a singular overall hack method is successful. In the Eircom example which Tom referred to, there are Netopia decrypters available on the web. This type of hack is device specific and breaches at device rather than encryption level therefore making the hack quick and the method near uniform. If a business with a payment service system does not isolate that system (i.e. uses the same broadband for general use) or uses a wireless connection (even if it is encrypted) on the connection used for payment services, hacking it can be all too easy. Add to this that there are many business using unencrypted wireless systems and you can see that the pickings are rich. Intent is in many cased the only required ingredient as the data is there to be breached without any significant know how. Wireless networks are the biggest non social engineering risk a business will face when protecting card services data.
2. Social engineering. This is simply a huge area. It involves a level of human contact. This can be by phone, post, directly at the store or to a staff member outside of work. The general aim is to gain trust by asking seemingly innocuous open questions which are intended to cause the subject to unwittingly part with information which will assist with a breach. A very good example is the card services scam about which Tom commented. In that case, people entered premises under the pretence of representing card services and fitted devices to the payment system thus giving themselves full access to the data required to defraud card holders.
3. The enemy within. Earlier we discussed Netopia (Broadband device commonly used by Eircom) and now we enter the area of Utopia. In a perfect world all staff could be trusted. Unfortunately this perfect just does not exist so every data protection policy must assume that every manager and staff member is capable of playing a starring role or taking a but part in fraud. This complicates security as staff by the nature of their employment must have access to physical areas, communication devices and data stores. The enemy within was in years gone by a potential suspect for cash (and possibly goods) theft. That generally required cash or goods to leave a premises on person. Data theft if far more complicated as data can travel through phone line, cable, antennae and hand held device. The data enemy within can now acquire vast monies without carrying any when leaving the premises. This is a huge risk area and while data transfer general leaves a trace it can be very difficult to follow. Protection in this area involves policy in staff selection, monitoring and reporting and any weakness could end in considerable cost.
4. Mail order. Any facility which allows persons to make purchases by card without ever having to meet the vendor are open to abuse. Your card services provider and bank will provide guidelines for dealing with mail order. If you are allowed to process mail order you will likely as a part of your procedure have limits and requirements to send to card address only. If you adhere strictly to all the requirements laid down, fraud will be less likely to succeed and you will be innocent of any wrong doing if it does. Any system is open to breach even if adhered to correctly. With mail order, any failure to adhere to procedures by any member of your organisation shift the blame and possibly the financial burden. Mail order should be the domain of experienced staff.
5. Stolen cards. An unreported stolen card may not be your responsibility but suspicions should be acted on without infringing on the rights of the suspect. A good starting point is to contact law enforcement and relevant card services support while buying time with the suspect and noting any specific details or appearance points. Mark Sullivan pointed out the possibility of showing the suspect a product similar to the one they have which is positioned close to security cameras. He wasn’t sure about the ethics of guiding potentially innocent shoppers towards cameras and either am I. If it is legitimate it sounds like a good idea. Stolen cards generally have a short life and it is common for users to make significant purchases while they are “fresh”. Card services will be alert to unusual spending patterns on a card if you communicate your suspicions.
6. Improper procedure. Card services are a supplier of yours. They provide a service and earn a commission. You however have responsibilities in your part of any transaction. If you do everything by the book, card services (or a client who has failed to report a card as stolen in an acceptable time frame) will generally take the hit. If however you skip or fail to properly complete procedures (even if these errors are not the proximate cause of the security failure) you may be sanctioned. These sanctions can range from financial responsibility and complete removal of facility to a limitation on the amount or type of card payments you can receive. This is only fair as the co-operation of retailers (in and off line) is a critical part of the defense of card payment services and one without which a widely usable level of service could not be offered.
7. PIN in sight. It is very common for consumers to fail in covering their PIN entry. Many PIN entry terminals have no collar or a collar which blocks only a small part of the viewable window to the keypad. Staff must guide consumers (by verbal communication or physical leading manoeuvre of the entry device) to a position from which neither staff nor other shoppers can see the PIN entered. If an intended perpetrator gains a consumers PIN all they need then is temporary access to the card or to steal the card. This make the consumer a target and puts them in potential danger beyond fraud.
8. In store card theft. This type of distraction theft commonly takes place after a criminal sees a purchasers PIN (see 7. above) and the combination of card and PIN gives the criminal a short period of time (if the shopper is aware of the theft) to acquire cash from an A.T.M.
9. In store terminal theft. In the story which started this we discussed terminal replacement through social engineering. A less sophisticated example is terminal theft. This should be reportable in a busy environment on the next card purchase requirement but it is common for a store with more than one terminal to continue as if nothing happened until the mystery of the missing terminal is reported to a supervisor.
10. Cancelled subscription commissions. If you pay commissions to sales agents based on sales, be carefull about how you treat credit card sales. This type of scam is common in network marketing environments in which an online sales agent has great sales success which you reward. In time the sales are cancelled or the payments are found to be fraudulent but their is no sign of the commissions you paid or the agent you paid. This has happened in environments with many agents. It is not likely that you would get in to this position if you followed procedure and this therefore increases your exposure.
11. Terminal down card payments. Chip and pin has been around for some time so the incidence of manual payment is low. Every processor will have strict rules for terminal down situations. They could run from contact card services for each sale to no sales allowed. If you breach this, even with the best of intentions you expose yourself to the risk and during a very high risk period.
12. Cash refunds. If a criminal acquired a card which can be used for purchases but not A.T.M. withdrawals they could make a purchase from you (availing at the same time of cash-back) and later come back with the product for a refund based on any acceptable reason. If this refund is in the form of cash the criminal has succeeded. Ensure your refunds policy is in accordance with card services and involves detailed recording and claimant identification.