Rippleshot Blog

The latest fraud scheme is targeting an unlikely audience of millennials, and using social media to do it. By hitting an audience of college students or recent graduates who are likely cash-strapped and living paycheck to paycheck, the fraudsters are cashing in - literally - on this group’s often outright desperation for a quick buck.

In the payment security space, the news is almost impossible to ignore. EMV chip-enabled cards are coming, along with an incredibly important fraud liability shift. As of October, whichever party (issuers or merchants) is not EMV compliant will take responsibility for fraud and all related chargebacks.

In a post covering the Fraud Summit here in Chicago in May, we discussed the growing concern over whether or not merchants will be able to meet the rapidly approaching deadline. The concern though, isn’t with the big box merchants, many of whom are already compliant - it’s with the smaller merchants who don’t have the technical support and cash that the larger companies have to implement overhauls of this size and scope.

Unfortunately, a recent survey by Wells Fargo confirms the suspicions that these smaller merchants won’t be ready. In fact, 68% of the small business owners surveyed in early July weren’t even aware that the EMV shift was happening.

Since we last covered the Target lawsuit, we saw a potential $19 million settlement brought to the table by Mastercard, which was defeated by their issuing banks in May. The settlement would have forced an end to the class-action litigation, which is now moving forward, in parallel with MasterCard’s attempt to renegotiate their settlement deal. Late last week, the banks involved in the lawsuit filed a request with the U.S. District Court of Minnesota to unseal some documents that until now, Target has been attempting to keep classified as confidential.

As the deadline for implementation of EMV nears closer, and chip cards are starting to hit customer mailboxes, questions surrounding the conversion are growing louder. The most controversial being why the U.S. has chosen to implement chip and signature over chip and PIN (like most other countries that have made the switch). There has been a ton of speculation over the decision, so we’re taking a step back to explain the differences, their impact, and what it really means to not be implementing PIN verification.

While the breadth of data being stolen in breaches has reached critical mass, the most valuable still remains payment card data - which is why many hackers still target it directly. Wondering how they do it? Follow along as we dive into the different ways fraudsters steal card information and how they then use it.

The introduction to Trustwave’s latest Global Security Report said it best - “Compromises are nothing new, of course, but 2014 just felt different.” Many called it the “Year of the Data Breach.” Many more were affected directly, with billions of personal records being compromised. But maybe most importantly, 2014 thrust data security into the public eye, forcing merchants, financial institutions, government and everyone in between to place a higher priority on breach prevention and detection.

Trustwave’s report provides a unique overview of the global security landscape, what trends emerged over the past year, and what the payments industry should keep an eye on moving forward.

While we’ve been busy keeping a close eye on the happenings of the Target lawsuit, issuers have filed another one - this time against Home Depot and the data breach that occured over the summer of 2014 and exposed 56 million payment cards.

Falling in line with Target, there are two lawsuit tracks - consumer and issuers. Now that both have been formally filed with the United States District Court in Georgia, follow along as we take a deep dive into the complaints and claims listed.

The Rippleshot team had the pleasure of attending ISMG’s Fraud Summit here in Chicago this week. Unsurprisingly, the topic on everyone’s minds and mentioned in almost every single panel was the impending shift to EMV in the coming months and how that will impact card security moving forward.

According to Ponemon Institute and Experian’s Data Security in the Evolving Payments Ecosystem study, nearly 70% of respondents cited that pressure to support new payment technologies is putting customer data security at risk.

We’ve all seen the articles by now. Ditch your network security provider. Forget about perimeter protection. Firewalls are useless. Data breach prevention is dead, and the only way to beat hackers is to turn to detection software instead.

Given that the number of data breaches involving 100 million or more records doubled in 2014, it’s understandable that the industry is frantically searching for the silver bullet that is going to fix this problem. The problem is, we don’t think there is one.

According to the Breach Level Index, over 1 Billion data records were stolen in 2014 - nearly 20% of those including financial information. But where is financial information being compromised, specifically? Rippleshot research has found that over 60% of payment card accounts that got stolen in 2014 can be tied back to five merchant categories.

On Monday, Rippleshot joined the Chicago Innovation Awards team and fellow 2014 winners in New York City to ring the Closing Bell at the Nasdaq Stock Market.

For much of past year, the debut of Apple Pay was eagerly anticipated to be the solution to a litany of credit card payment problems. And certainly the new method of transacting is game-changing in that it employs not only a cryptogram (much like EMV credit and debit transactions use), but also a dynamically generated 16-digit token, ensuring that merchants never directly receive or have the ability to store customers’ actual credit card numbers - which would go a long way toward preventing the large payment card breaches that have dotted the landscape for the last several years.

In addition to the tokenization, transactions are also authorized using either Touch ID (fingerprint) or through a PIN number, providing an extra layer of security to ensure that purchases are verified through the iPhone owner, in case the device gets lost or stolen.

But the problem isn’t with the transactions themselves - it’s with the card set up process.

On February 12th, a day before the White House held a cybersecurity summit at Stanford University, President Obama signed an Executive Order to “encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.”

While 2014 was aptly named "The Year of the Data Breach," 2015 has unfortunately started off in a similar trajectory, with breaches at several parking services and Anthem suffering the largest healthcare breach in history. On their own, these incidents paint a pretty bleak picture for data security, but in aggregate, they're even more alarming.