Rippleshot Blog

Have you ever looked at your computer or phone in awe, and considered the possibility that it may be smarter than you? Although the philosophical debate surrounding the nature of intelligence has waged on for decades, the advent of machine learning has caused it to suddenly resurface. After all, when a computer can comb through years of company data and solve a complex problem within seconds, it is hard to not give heed to the argument that technology is smarter. Regardless of whether or not intelligence can be measured, the final answer is that neither is smarter, and both must work effectively together in order to find solutions to tomorrow's problems. Follow the Rippleshot Team as we discuss the origins of machine learning, its implications for the future, and how you can leverage its power to benefit your institution.

Although version 3.2 of the PCI Data Security Standard (PCI DSS) was released over half a year ago, its impact will stretch much further into the future. In a way, the strategic introduction of the standard is the most noteworthy element about it. There are a few essential changes, but the projected runway provides more than enough time for organizations to brace themselves. As Payment Card Industry Security Standards Council's CTO Troy Leach stated in an interview, he believes the postponed update will give organizations the time they need to effectively implement security processes that help mitigate against cyberattacks. However, this does not mean that companies are off the hook, as today’s “most advanced” security technology can become a vulnerability to exploit for tomorrow’s cyber criminals. Follow along as the Rippleshot Team looks at The Key Highlights of PCI DSS 3.2.

It’s safe to say that 2016 has been a year of heightened turmoil for the payments and security industry. With the aftermath of EMV implementation, a sharp rise in data breaches, and unprecedented fraud losses by issuers, we know that this year has kept you busy. The good news is, we’re here to help. In order to save you time, we have compiled a list of key statistics that paint the bigger picture of the industry as a whole. Follow the Rippleshot Team as we take you through the Top 11 Stats of 2016.

A hidden gem, the Monthly Complaint Report by the Consumer Financial Protection Bureau (CFPB) helps uncover problem areas impacting the financial products and services industry in the eyes of the consumer. Whether it be consumer loans, bank accounts/ services, payment cards, debt collection, payday loans, or fraud, the CFPB has handled over 930,700 consumer complaints as of July 2016, including 24,500 in June itself. Through a careful compilation and analysis of such consumer complaints, the CFPB has been able to discern a “high-level snapshot of trends in consumer complaints”. Follow the Rippleshot Team as we review highlights from the report and discuss customer sentiments surrounding financial products and services.

We know it’s hard to believe, but sometimes even your beloved customers have malicious intentions. According to a newly published whitepaper by Radial, the majority of eCommerce fraud originates from cyber criminals, who use compromised payment data to make unauthorized transactions, and make managing eCommerce fraud extremely challenging. Merchants are forced to constantly balance risk exposure with customer disturbances, heavily invest in fraud detection technologies, and dedicate resources to preventing fraud. However, what happens when the customer is the one committing fraud? Commonly known as “friendly fraud”, this type of first party fraud is when customers transact online, and then claim their purchase was unauthorized. Follow the Rippleshot Team as we quantify how much friendly fraud has been costing merchants (quick teaser- billions), and the steps merchants should take to avoid it.

During March, the Rippleshot Team covered the top locations and trends of e-commerce fraud in a previous blog post, outlining where both the fraudsters and victims of fraud were located. Much of our focus was on warning financial institutions that EMV implementation was not the cure-all to fraud, as fraud, and its impact of customers, was not going anywhere. Some listened, while some countered that their “fraud losses were lower than ever because of EMV”. So although we don’t like to say we told you so…we told you so. Experian’s latest report, published right around the 1-year anniversary of the EMV liability shift, projects 2016 e-commerce fraud attack rates to be at least 15% higher than last year’s total. Learn the Top 10 Riskiest Zip Codes for shipping and billing fraud in our latest blog- “The Where and What of E-Commerce Fraud”.

2 years ago, security professional and evangelist David Holmes dubbed 2014 as the “The Year of the Mega-Breach”, and reasonably so, as multiple headlines featured news of massive data breaches at Home Depot, J.P. Morgan Chase, and eBay. However, the following year had a roster of mega-breaches that made the previous year’s incidents pale in comparison, causing the term to quickly become obsolete. After a holistic review of the data breaches that have occurred throughout the current year, the Rippleshot Team has decided to resurrect the concept- with a little twist. Follow along as we discuss why 2016 is “The Year Of The SMB Breach”, how data breaches can be catastrophic to small to mid-size businesses (SMBs), and what implications SMB breaches have for the overall cybersecurity industry.

Bad news. Ransomware is back with a newfound vengeance. Many of us know ransomware to be a notorious form of malware that prevents users from accessing their own systems, either by locking a user from a system entirely (locker ransomware), or encrypting user files on an affected system (crypto-ransomware). In either case, users are forced to pay a ransom in order to restore functionality and access, many times to the tune of thousands of dollars. Although ransomware dates back to 1989, its practice has ebbed and flowed in its prevalence over the years. However, it is clear that 2016 has seen a marked increase in the frequency, cost, and effectiveness of ransomware incidents. Follow the Rippleshot Team as we document the return of ransomware and its impact on the cybersecurity landscape of 2016.

“Those who cannot remember the past are condemned to repeat it”.

This quote couldn’t hold more true when it comes to the EMV liability shift in America. Cybersecurity experts are perplexed regarding the future, scrambling to find clues in order to predict the who, what, when, and why of the EMV roll-out. What they don’t know is that the answers may actually lie within the past, or across the Atlantic Ocean. Most Americans are quick to forget that we were actually one of the latest to adopt the EMV standard, following suit after Africa, the Middle East, Asia, Latin America, and almost all of Europe. So when it comes to painting a picture of the aftermath that will result from widespread adoption of EMV protocols, why don’t we examine our international counterparts more closely? Join us as we discuss European history surrounding EMV adoption, fraud trends that will carry over to America, and the implications of widespread EMV implementation in our latest infographic: The Evolution of European Card Fraud.

Chip-card hacking has most likely been around longer than you think. Commonly known as the EMV standard, which represents the card network consortium of Europay, Mastercard, and Visa, the chip-based card technology has been widely adopted in virtually every global market (except for the U.S. until recently). EMV was born in 1994, when the three international payment systems sought to develop a global chip specification for payment systems, and the first production version was released in 1996. By embedding a secure chip into a plastic payment card, EMV technology enhances the overall security of debit/credit cards, overshadowing the effectiveness of the traditional magnetic stripe-and-swipe. In addition to replacing the outdated signature with a more secure PIN (personal identification number), the chip card utilizes cryptographic processing to create an ID that is unique to every transaction, as opposed to displaying sensitive account and payment information. However, the common misconception is that EMV is the “be all, end all” of payment security- this couldn’t be further from the truth. Find out how chip-card hacking has evolved from a replacement of internal hardware to sophisticated ATM shimming software as the Rippleshot Team explores the history of chip-card hacking.

We have a good idea of the short-term consequences of data breaches- lawsuits, chargebacks, etc. But what about the long-term? A recent research report published by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston sought to find a conclusive answer, leveraging consumer perceptions surrounding Target’s data breach as a case study. By examining longitudinal data on 1,908 US adults from results of the Survey of Consumer Payment Choice (SCPC), the report took advantage of a naturally ripe environment for experimentation, as some respondents were asked to rate payment instrument security before the Target data breach became public knowledge, and others answered the survey after news of the breach became widespread. Although the research has merit in identifying the inelastic behavior of consumers regarding payment instrument usage, it fails to address how data breaches contribute to costly card-reissuance and false-positive declines for banks and credit unions.

The aftermath of headline-grabbing data breaches at deep-pocketed retailers is almost always characterized by litigants of all sizes lining up to seek reparation for their legal injuries. These litigants can come in the form of disgruntled financial institutions, who demand compensation for breach-related expenses, or unhappy consumers who have suffered from theft of personal/ financial information and unauthorized charges on their accounts. Although consumer class-action lawsuits are a dime a dozen, they typically do not fare well in court, as courts generally conclude that their losses are covered in full by banks. On the other hand, financial institutions have a much easier time proving the costs associated with data breaches, such as card reissuance and reimbursement on fraudulent transactions. Follow along as we discuss the most recent data breach lawsuits including Target, Home Depot, and Wendy’s, and their effect on consumers, financial institutions, and retailers.

By 2019, the global e-commerce market is predicted to be worth US $2.4 Trillion. In short, e-commerce is growing at an unforeseen rate. Unfortunately, it also means that online payment fraud, a notorious companion, will tag along for the ride. In their latest research report, Fraud Trends 2016, WorldPay highlights the key issues at the fore of global risk and fraud prevention, such as perceptions regarding mobile fraud, the use of social media in risk mitigation, and the inability of companies to effectively leverage data.

The landscape of fraud between 2015 to 2016 is best characterized as uncertain and dynamic. As government institutions such as the CFPB and FFIEC begin to play a bigger role in cybersecurity regulation, it has yet to be seen what data security protocols will be required of financial institutions. Also, pending legislation in Congress surrounding data security has the potential to determine federal standards of information security for merchants. Finally, with back-and-forth lawsuits between retailers, payment card networks, and issuers over disputes regarding EMV compliance and liability shift, nobody is exactly sure who will come out on top.

At Rippleshot, we understand how difficult it can be to juggle so many moving parts and develop actionable insights from them. That’s why we created a timeline for you to get up to speed on recent developments in card fraud and payments security.

A fiery debate has resurfaced between financial institutions, merchants, and consumer groups regarding the Data Security Act of 2015. The bipartisan bill introduced to Congress as H.R. 2205 by Representatives Randy Neugebauer and John Carney on May 1st, 2015 explicitly states two purposes: “to establish strong and uniform national data security and breach notification standards for electronic data” and “to expressly preempt any related State laws in order to provide the Federal Trade commission with authority to enforce such standards for entities covered under this Act.”