Rippleshot Blog

Criminals now have access to a wealth of personal information that is being exposed through data breaches - including, but not limited to names, dates of birth, email addresses, social security numbers, card numbers and home addresses. This information, paired with the implementation of EMV and the inevitable increased difficulty in committing card present fraud has led criminals to a new target - call centers. Armed with seemingly everything they need to know about a person, it often only takes one or two calls and a couple of good, educated guesses to get access to someone’s account.

Last Thursday, the Consumer Financial Protection Bureau issued a set of proposed rules that would put an end to the mandatory arbitration clauses that you see in many bank and credit card contracts today. This announcement has already seen a wealth of commentary from industry associations to legal experts and consumer advocates, but how did we get to this point? What data on arbitrations was used to make this decision? And how will this inevitable regulation affect banks moving forward? We’ll cover it all below.

Last year was a rollercoaster for the payments industry. An influx of mobile payment platforms, the start of EMV adoption, and a pack of criminals exploiting all of these uncertainties with a continued string of high profile data breaches has many fraud managers stressed beyond belief trying to manage it all. If it’s any consolation, Trustwave’s Global Security Report confirms that you’re not alone. Follow along as we highlight some of the report’s key insights on attacks, how they’re happening and what data criminals are targeting.

It’s been nearly a year since the Federal Financial Institutions Examinations Council (FFIEC) debuted the Cybersecurity Assessment Tool, commonly known in the industry as the CAT. At last week’s ABA Risk Management Conference, we learned a ton about the tool’s voluntary nature, how it compares to existing cybersecurity assessments, and how banks are passing the regulatory scrutiny onto their own vendors and third-party providers.

“I want it all…

I want it all…

I want it all…

And I want it NOW!” –Queen

Instant card issuance is the banks’ and credit unions’ ability to create debit, credit, prepaid and ATM cards right at the branch location, providing a new card instantly to the customer that can be used immediately.  Instant card issuance might not have been what Queen’s guitarist Brian May had in mind when he wrote “I Want It All” for Queen, but I think it applies. Fiserv recently produced a report on “The Role of Instant Card Issuance in Customer Satisfaction and Use.” Let’s use Fiserv’s report and May’s lyrics to dig in deeper on the many advantages and one big disadvantage to instant card issuance.

When large data breaches like the infamous ones at Target or Home Depot take place and millions of cardholders’ information has been stolen, it usually ends up on underground markets, where it’s sold in bulk. Many times, this information is purchased by criminals and used to create counterfeit cards to make purchases at brick-and-mortar stores. But with nearly 70% of credit cards currently EMV compliant (with chips) and debit cards slated to follow this year, making fraudulent purchases with counterfeit cards is becoming more difficult. As we’ve mentioned many times before, fraud is expected to shift to card not present channels, and the criminals have adapted with elaborate and sophisticated schemes to cash in on any weakness in the system they can find. Hewlett Packard Enterprise’s “Monetizing Stolen Credit Card Data” report gives us a window into the processes they’re employing to defraud U.S. cardholders and merchants of over $1 Billion each year.

In this week's recap, Rippleshot CEO Canh Tran comments on the latest Trump Hotel breach, the Fed starts reviewing proposals for faster payments, fraud is cited for slowing mobile payments growth, a Verizon database of customer information is found wide open, and the Rippleshot blog covers a new study about consumer behavior after card not present fraud.

We know that card not present (CNP) fraud, as a result of EMV implementation is on its way up and only going to continue to rise. In the U.K. and Canada, post-EMV ecommerce fraud spiked 80-100% in the three years following the conversion. Many financial institutions, knowing that most CNP fraud can be charged back to the retailer, have brushed off its impact. But according to a new study, the consumers affected by ecommerce fraud are taking more drastic measures that deserve the attention of both issuers and merchants.

In this week's recap, TreasureHunt malware steals card data direct from merchant POS systems, fuel pump payments set for major disruption and overhaul by 2020, retailers take to the Fed to try and lower debit card fees, hackers breach two major law firms, and the Rippleshot blog takes on the regulatory agencies' recent foray into cybersecurity issues.

It’s been a hot couple of months for regulators and cybersecurity. Back in June, the FFIEC (Federal Financial Institutions Examination Council) introduced a new cybersecurity assessment and recommended guidelines for banks and credit unions. In August, a U.S. appeals court ruled that the FTC (Federal Trade Commission) has the authority to regulate corporate cybersecurity. And just a few weeks ago, Dwolla, a payment platform company, found itself the first ever data security target of the CFPB (Consumer Financial Protection Bureau), and was hit with $100,000 in fines. We review the details of each, and what this means for the future.

In this week's recap, payment card fraud in the UK increases 18% year over year, even with chip and PIN cards in place, interchange fees are challenged by Dick Durbin, CNBC takes a look at how retail franchisees fare when a data breach occurs, debit cards are gaining ground on cash for small purchases, and the Rippleshot blog reviews the Federal Agencies' new guidance on prepaid reloadable cards.

As we’ve noted in previous posts, the heat is on in figuring out how to best stem fraud from gift and prepaid cards. Prepaid cards have long been a favorite of fraudsters looking for ways to move money anonymously, and the increased prevalence of reloadable prepaid cards (like those issued by Green Dot or Vanilla), where balances can be re-upped, are particularly susceptible to money laundering practices. The problem has been well-documented, with The Boston Globe reporting that in 2013, $30 million of the $20 billion loaded on Green Dot’s cards involved fraud. This week, The Federal Reserve, along with the FDIC, OCC, NCUA and the FCEN issued interagency guidance in an attempt to put an end to the problem.

In this week's recap, a skimmer video you have to see to believe, equipment retailer Bailey's suffers a data breach affecting 250,000 consumers, American Express issues alert for third-party breach, The Atlantic takes everyone on the payment card spectrum to task over security concerns, and a deep dive on the latest EMV implementation struggles, five months in.

Five months in, and the EMV rollout has gotten off to a relatively rocky start. Many of the smaller and mid-size financial institutions we’ve spoken to have yet to finish transitioning over to chip cards, and anyone with a chip card can vouch for the fact that most merchants aren’t yet accepting them. A fair number of EMV terminals have tape or notes over top of the slot used to dip cards, and we’re hearing from several financial institutions that card fraud is at painfully high levels. What’s happening? We dig in below..

In this week's recap, an imprisoned fraud-kingpin shares some of his schemes, mobile payment adoption gets a critical eye, NJ.com takes a deep dive on ATM skimming, Home Depot settles their consumer breach, and the Rippleshot blog takes a look at gift card fraud and what merchants are doing to try and stem it (as well as a new scheme merchants should be looking out for).