Business Fraud & Security

What is EMV? 

In its most basic terms, EMV, which signifies Europay, MasterCard and Visa, is a global technology specification for payment adopted by MasterCard, Visa, JCB, Discover Financial Services, and American Express to name a few; that ensures that chip cards work with point-of-sale terminals and ATMs from country to country, to authenticate credit and debit card transactions. Please view this short video for more information on Smart Cards, also called EMV or Chip Cards.

Through this joint venture, MasterCard, American Express, Discover, JCB and Visa are working to ensure that chip payment cards can continue to be accepted everywhere.

EMV is based on strong cryptography (both symmetric and asymmetric) and elaborate key management; a fundamental EMV principle is to digitally sign payment data to ensure transaction integrity. As opposed to magnetic stripe technology, a chip is extremely difficult to crack; card authentication and PIN verification are performed automatically and objectively by the chip. An important aspect of EMV is its use of dynamic data. Each transaction carries a unique 'stamp' which prevents the transaction data from being fraudulently reused, even if it is stolen from a merchant's or processor's database. EMV's dynamic data feature basically says 'if you can't prevent data from being stolen, make the stolen data useless' because dynamic data is only useful for the sole transaction it characterizes, nothing more.

Why EMV?

Our country has been wrought with breaches in the last several years, making the migration to EMV all the more important in the U.S. As the European Union has completed its migration to EMV, the region has seen an 80% reduction in credit card fraud while the U.S. has witnessed a 47% increase. EMV is the only available technology used to prevent card payment fraud from happening in an efficient, systematic and globally interoperable way. These cards use advanced encryption, online and offline authentication and embedded card risk analysis capabilities, which make most traditional methods used to steal card data worthless. Because of this, EMV cards are far more secure and more successful in fraud prevention than the traditional magstripe card prevalent in our country currently. Additionally, the use of EMV technology will help reduce counterfeit and lost-and-stolen fraud in the world of physical and Point-of-Sales (POS), Automated Teller Machines (ATMs) and Card Not Present scenarios (CNP). The card's ability to verify a cardholder's PIN offline, combined with the EMV's back-end authentication infrastructure make it well suited for strong authentication using one-time passwords (OTP).

When EMV?

New liability rules will take effect on October 1, 2015. What does it mean for you and your business?

 All of the major card brands (Visa, MasterCard, American Express and Discover) have announced plans to shift the liability for counterfeit card fraud losses, which is currently held largely by card issuers, to merchants and their acquirers, unless both parties implement EMV. The new liability rules will take effect on October 1, 2015. Any party that hasn't implemented EMV may be liable for the fraud that results from a magnetic-stripe payment after that date. 

What this means for card issuers:

If a counterfeit charge occurs on one of your EMV cards, liability may shift to the merchant or the acquirer, if the card wasn't processed using the chip. Card issuers are getting ahead of the game by issuing cards well ahead of the October 1, 2015 liability shift date.

What this means for merchants:

Merchants who accept in-store payments may be liable for fraudulent transactions beginning October 1, 2015 if an EMV card is presented but the merchant chooses to process the payment using the magnetic stripe instead. Merchants can prevent this by installing EMV-enabled terminals. Fortunately, nearly all POS terminals sold today in the U.S. are EMV-ready.

Preventative Measures a Business Can Take Include:

• Initiate ACH, wire transfers and online bill payments under dual control. For example, one person authorizes the creation of the payment file; and a second person authorizes the release of the file. 
• Ensure that all anti-virus and security software and mechanisms for all computer workstations and laptops are robust and up-to-date. Especially if those computer workstations and laptops are used for online banking and payments. 
• Monitor and reconcile accounts daily.  Many small business clients do not reconcile their bank accounts on a daily basis, and therefore may not recognize fraudulent activity until it is too late to take action. 
• Utilize routine and "red-flag" reporting (i.e., alerts about unusual activity) for transaction activity. 

Does your company keep sensitive data — Social Security numbers, credit reports, account numbers, health records, or business secrets? If so, then you have probably instituted safeguards to protect that information, whether it’s stored in computers or on paper. That’s not only good business, but may be required by law.

According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, your information security plans also should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.

Digital Copiers are Computers

Commercial copiers have come a long way. Today’s generation of networked multifunction devices — known as “digital copiers” — are "smart" machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. But not every copier on the market is digital: generally, copiers intended for business have hard drives, while copiers intended for personal or home office use do not.

The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

Digital copiers store different types of information in different ways. For example, photocopied images are more difficult to access directly from the hard drive than documents that are faxed, scanned or printed on the copier.

The Life-Cycle of a Copier

Copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Before you acquire a copier

Make sure it's included in your organization’s information security policies. Copiers should be managed and maintained by your organization’s IT staff. Employees who have expertise and responsibility for securing your computers and servers also should have responsibility for securing data stored on your digital copiers.

When you buy or lease a copier

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

• Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.
• Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, periodically to clean out the memory, or on a preset schedule. Users may be able to set the number of times data is overwritten — generally, the more times the data is overwritten, the safer it is from being retrieved. However, for speed and convenience, some printers let you save documents (for example, a personnel leave slip) and print them straight from the printer hard drive without having to retrieve the file from your computer. For copiers that offer this feature, the memory is not overwritten with the rest of the memory. Users should be aware that these documents are still available.

Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard drive doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.

Yet another layer of security that can be added involves the ability to lock the hard drives using a passcode; this means that the data is protected, even if the drive is removed from the machine.

Finally, think ahead to how you will dispose of the data that accumulates on the copier over time. Check that your lease contract or purchase agreement states that your company will retain ownership of all hard drives at end-of-life, or that the company providing the copier will overwrite the hard drive.

When you use the copier

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

If your current device doesn’t have security features, think about how you will integrate the next device you lease or purchase into your information security plans. Plan now for how you will dispose of the copier securely. For example, you may want to consider placing a sticker or placard on the machine that says: “Warning: this copier uses a hard drive that must be physically destroyed before turn-in or disposal.” This will inform users of the security issues, and remind them of the appropriate procedures when the machine reaches the end of its usable life.

In addition, your organization’s IT staff should make sure digital copiers connected to your network are securely integrated. Just like computers and servers that store sensitive information, networked copiers should be protected against outside intrusions and attacks.

When you finish using the copier

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

Protecting Sensitive Information: Your Legal Responsibility

The FTC’s standard for information security recognizes that businesses have a variety of needs and emphasizes flexibility: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable depends on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.

Depending on the information your business stores, transmits, or receives, you also may have more specific compliance obligations. For example, if you receive consumer information, like credit reports or employee background screens, you may be required to follow the Disposal Rule, which requires a company to properly dispose of any such information stored on its digital copier, just as it would properly dispose of paper information or information stored on computers. Similarly, financial institutions may be required to follow the Gramm-Leach-Bliley Safeguards Rule, which requires a security plan to protect the confidentiality and integrity of personal consumer information, including information stored on digital copiers.

Source: FTC.org

It's a dangerous world out there in cyberspace.  Security threats are escalating every year and have become more malicious with cybercriminals entering the scene stealing financial and personal information. Cell phones and automobiles are becoming more computerized, and hackers have an even wider selection of devices to infect with malicious threats. With so many pluggable devices available coming on the market, new areas of exposure are created. 

Here's a quick look at some of today's most common computer security threats:

1. Malware. Exploits and malware are increasing through vectors ranging from social networks to mobile devices to employees themselves. As computer and operating system security continues to improve so will cybercriminals' new techniques to bypass these defenses.
2. Mobile Threats. Attackers are turning their attention to launching mobile banking attacks. Consumers will begin to see banking attacks migrate from the computer to the smartphone. Keep in mind that if your smartphone becomes infected, it can infect your computer and your home or work network.
3. Threats to Mobile Payments. Electronic currency has made sending money extremely easy. Buying or selling, paying for entertainment, and sending money to a friend from a mobile device is becoming more popular.  Electronic payments, however, are often not encrypted, unless you're using the mobile safeguards provided by your bank. Hackers know this and are increasingly targeting the growing use of cyber currency as a means to steal money and spread malware.
4. Attacks on SMBs. Small businesses believe they are immune to cyber-attacks. They erroneously think they have nothing an attacker would want to steal. They forget that they retain customer information, create intellectual property, and keep money in the bank. Truth is, small companies are typically less equipped to defend against an attack. From an attacker's point of view, any business is a potential target, no matter its size.
5. Uneducated Users. The average user has become educated enough not to click on an attachment in unsolicited e-mail, but do they know how to defend themselves in today's constantly-changing threat environment? The first step in computer security is being aware of the risk environment. Information security awareness training helps computer users develop the skills to identify risks and scams and avoid becoming a victim.
6. User Errors. Computers are great. And in fact, they are better and more reliable than people for many transactions. Computers, for example, are better than doctors at diagnosing some illnesses. That said, humans make mistakes when using computers, especially when they’re not savvy about computer security.  Even if you think you're doing all you can to avoid common security threats, you'd probably be surprised at how easily an outsider can find common -- even silly -- mistakes.

 What would you do if you suddenly noticed that huge chunks of money had been drained from your business account into overseas accounts? Unfortunately, online criminals are using increasingly sophisticated techniques to commit payments fraud against commercial business accounts. Let's take a closer look at corporate account takeover, how federal regulators and financial institutions are collaborating to help you to prevent it from happening to your business, and finally your responsibility to protect yourself.

What is Corporate Account Takeover?
Corporate account takeover is a type of fraud where thieves gain access to a business' finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. Thousands of businesses have fallen victim to this type of fraud, and the losses have ranged from a few thousand to several million dollars.

Regulation E
Consumer bank accounts enjoy a certain level of protection that business bank accounts do not. Under Regulation E, there are liability limitations for unauthorized electronic fund transfers affecting consumer bank accounts. Business bank accounts do not get this kind or protection. So when business accounts are compromised, they often lose all or at least some of their money.

Customer vs. Bank
A good example of this is the court case between Patco Construction Company and their financial institution Ocean Bank. Patco computers had become infected with malware allowing fraudsters to make six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000. Only $243,000 of the stolen money was recovered. What ensued was a three-year court battle between the company and their financial institution to decide who was at fault. In the end, both were losers. Businesses and banks aren't only losing millions to fraud; they are losing millions more in legal costs, productivity losses and negative PR. The only winners in these cases are the cybercriminals.

What regulators & banks are doing to prevent corporate account takeover
In an effort to protect both consumers and businesses from financial fraud, the Federal Financial Institutions Examination Council (FFIEC) has implemented and will continue to establish new security guidelines for financial institutions. These guidelines enforce the implementation of a layered security approach, risk assessments and customer security education and awareness. You can learn more about this from your financial institution.

Who's responsible?
The question remains, "In light of the increasing and more sophisticated cyber threats, who is ultimately responsible for ensuring the security of your bank account?" The financial institution must protect their online banking technology and ensure the security of online transactions, but what responsibility does the customer have to protect their own computing systems against attack? Today security is a shared responsibility between the financial institution and the customer.

As in the case of Patco Construction, corporate account takeover attacks today are typically perpetrated quietly by the introduction of malware through a simple phishing email, a deceptive social engineering ploy, or an infected website. For a business that has low resistance to such methods of attack, the malware introduced onto its system may remain undetected for weeks or even months.

How do I protect myself and my business?
The best way to protect against corporate account takeover is a strong partnership with your financial institution. Work with your bank to understand security measures needed within the business and to establish safeguards on the accounts that can help the bank identify and prevent unauthorized access to your funds.

A shared responsibility between the bank and the business is the most effective way to prevent corporate account takeover.

Consider these tips to ensure your business is well prepared:

• Develop a security plan. Each business should evaluate its Corporate Account Takeover risk profile and develop a security plan that includes sound business practices.
• Protect your online environment. Protect your cyber environment just as you would your cash. Use appropriate tools to prevent and deter unauthorized access to your network and make sure you keep them up to date. Encrypt sensitive data and use complex passwords and change them regularly.
• Create a secure financial environment. Dedicate one computer exclusively for online banking. This computer should not be connected to the business network, have email capability, or connect to the Internet for any purpose other than online banking.
• Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that protect you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits to help protect you from fraud.
• Pay attention to suspicious activity and react quickly. Watch for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised. And keep records of what happened.
• Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your business. You need to understand and implement the security safeguards in the agreement. If you don't, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.
• Educate all employees about cybercrimes so they understand that even one infected computer can lead to an account takeover. An employee whose computer becomes infected can infect the entire network. For example, if an employee takes a laptop home and accidentally downloads malware, criminals could gain access to the business's entire network when the employee connects again at work. All employees, even those with no financial responsibilities, should be educated about these threats.

Stay informed about defenses to Corporate Account Takeover. Since cyber threats change rapidly, it's imperative that you stay informed about evolving threats and adjust your security measures accordingly.

You and your employees are the first line of defense against corporate account takeover. A strong security program along with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.

Source: infosightinc.com

Trust is an essential element of customer relationships. When it comes to internet security, your customers trust you to protect the personal information they share with you. 

You would never knowingly put them at risk, but lax computer security practices can do just that - jeopardize your customers' sensitive information and expose them to threats. 

If your company has a website, communicates with customers via email, or stores customer information in an electronic database, you could be putting them at risk if you aren't taking the right precautions. 

Gain Their Trust

The following information practices will help safeguard your customers' data and help them feel confident about doing business with you online. 

• Have (and follow) a privacy policy: Your company's website should have a privacy policy that tells customers what information you collect and how you use it. 
• Know what you have: You should be aware of all the personal information you have about your customers, where you're storing it, how you are using it, who has access to it, and how to protect it. 
• Keep what you need and delete what you don't: While it's tempting to keep information for future use, the less you collect and store, the less opportunity there is for something to go wrong. 
• Protect what they give you: If you are holding onto information about your customers, you need to keep it secure. 

Best Practices

Keeping your customers safe requires your own computer systems to be fully protected. The best policies in the world won't protect your customers if your network and resources are at risk for preventable attacks. 

Protecting your network and systems requires a lot of the same steps as protecting a single computer, only on a larger scale. 

• Keep a clean machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. 
• Automate software updates: Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that's an available option. 
• Scan all new devices: Be sure to scan all USB and other devices before they are attached to the network. 
• Use a firewall: A good firewall keeps criminals out and sensitive data in. 
• Use spam filters: Spam can carry malicious software and phishing scams, some aimed directly at businesses. A good spam filter will block most of it and will make your email system safer and easier to use. 
• Show your commitment to security: Participate in activities such as National Cyber Security Awareness Month and Data Privacy Day to demonstrate your businesses' commitment to security.