Rippleshot Blog

Last week, the Eighth Circuit Court of Appeals reversed the approval regarding the settlement class in a consumer class action arising from Target Corporation’s 2013 data breach.

We know it’s hard to believe, but sometimes even your beloved customers have malicious intentions. According to a newly published whitepaper by Radial, the majority of eCommerce fraud originates from cyber criminals, who use compromised payment data to make unauthorized transactions, and make managing eCommerce fraud extremely challenging. Merchants are forced to constantly balance risk exposure with customer disturbances, heavily invest in fraud detection technologies, and dedicate resources to preventing fraud. However, what happens when the customer is the one committing fraud? Commonly known as “friendly fraud”, this type of first party fraud is when customers transact online, and then claim their purchase was unauthorized. Follow the Rippleshot Team as we quantify how much friendly fraud has been costing merchants (quick teaser- billions), and the steps merchants should take to avoid it.

2 years ago, security professional and evangelist David Holmes dubbed 2014 as the “The Year of the Mega-Breach”, and reasonably so, as multiple headlines featured news of massive data breaches at Home Depot, J.P. Morgan Chase, and eBay. However, the following year had a roster of mega-breaches that made the previous year’s incidents pale in comparison, causing the term to quickly become obsolete. After a holistic review of the data breaches that have occurred throughout the current year, the Rippleshot Team has decided to resurrect the concept- with a little twist. Follow along as we discuss why 2016 is “The Year Of The SMB Breach”, how data breaches can be catastrophic to small to mid-size businesses (SMBs), and what implications SMB breaches have for the overall cybersecurity industry.

Chip-card hacking has most likely been around longer than you think. Commonly known as the EMV standard, which represents the card network consortium of Europay, Mastercard, and Visa, the chip-based card technology has been widely adopted in virtually every global market (except for the U.S. until recently). EMV was born in 1994, when the three international payment systems sought to develop a global chip specification for payment systems, and the first production version was released in 1996. By embedding a secure chip into a plastic payment card, EMV technology enhances the overall security of debit/credit cards, overshadowing the effectiveness of the traditional magnetic stripe-and-swipe. In addition to replacing the outdated signature with a more secure PIN (personal identification number), the chip card utilizes cryptographic processing to create an ID that is unique to every transaction, as opposed to displaying sensitive account and payment information. However, the common misconception is that EMV is the “be all, end all” of payment security- this couldn’t be further from the truth. Find out how chip-card hacking has evolved from a replacement of internal hardware to sophisticated ATM shimming software as the Rippleshot Team explores the history of chip-card hacking.

We have a good idea of the short-term consequences of data breaches- lawsuits, chargebacks, etc. But what about the long-term? A recent research report published by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston sought to find a conclusive answer, leveraging consumer perceptions surrounding Target’s data breach as a case study. By examining longitudinal data on 1,908 US adults from results of the Survey of Consumer Payment Choice (SCPC), the report took advantage of a naturally ripe environment for experimentation, as some respondents were asked to rate payment instrument security before the Target data breach became public knowledge, and others answered the survey after news of the breach became widespread. Although the research has merit in identifying the inelastic behavior of consumers regarding payment instrument usage, it fails to address how data breaches contribute to costly card-reissuance and false-positive declines for banks and credit unions.

The aftermath of headline-grabbing data breaches at deep-pocketed retailers is almost always characterized by litigants of all sizes lining up to seek reparation for their legal injuries. These litigants can come in the form of disgruntled financial institutions, who demand compensation for breach-related expenses, or unhappy consumers who have suffered from theft of personal/ financial information and unauthorized charges on their accounts. Although consumer class-action lawsuits are a dime a dozen, they typically do not fare well in court, as courts generally conclude that their losses are covered in full by banks. On the other hand, financial institutions have a much easier time proving the costs associated with data breaches, such as card reissuance and reimbursement on fraudulent transactions. Follow along as we discuss the most recent data breach lawsuits including Target, Home Depot, and Wendy’s, and their effect on consumers, financial institutions, and retailers.

By 2019, the global e-commerce market is predicted to be worth US $2.4 Trillion. In short, e-commerce is growing at an unforeseen rate. Unfortunately, it also means that online payment fraud, a notorious companion, will tag along for the ride. In their latest research report, Fraud Trends 2016, WorldPay highlights the key issues at the fore of global risk and fraud prevention, such as perceptions regarding mobile fraud, the use of social media in risk mitigation, and the inability of companies to effectively leverage data.

The landscape of fraud between 2015 to 2016 is best characterized as uncertain and dynamic. As government institutions such as the CFPB and FFIEC begin to play a bigger role in cybersecurity regulation, it has yet to be seen what data security protocols will be required of financial institutions. Also, pending legislation in Congress surrounding data security has the potential to determine federal standards of information security for merchants. Finally, with back-and-forth lawsuits between retailers, payment card networks, and issuers over disputes regarding EMV compliance and liability shift, nobody is exactly sure who will come out on top.

At Rippleshot, we understand how difficult it can be to juggle so many moving parts and develop actionable insights from them. That’s why we created a timeline for you to get up to speed on recent developments in card fraud and payments security.

It’s easy to get caught up in the headlines, particularly when stories of large-scale breaches of cardholder information seem to graze the front of newspapers on a weekly basis. But the truth is, even though the Targets, Home Depots, Michaels and Wendy’s are all-encompassing as far as the media goes, they’re actually not the majority of the card compromises that take place - not by a long shot.

Hackers are increasingly targeting the lodging and restaurant industries to steal customer card information.  According to a Trustwave study of data breaches in 24 countries, 38% occurred at hotels making it the most breached type of business.  In the last two years alone the industry has experienced several high profile breaches at well-known chains.  While the well-known chains have gathered the most attention, no doubt smaller hotels and motels are likely to have been targeted as well.  Most of those go undetected or unreported creating additional headaches for consumers whose card information has been stolen and for banks who need to mitigate the subsequent fraud losses.

We’ve long covered the issues with gas pump skimmers, and have consistently seen automated fuel dispensers (MCC 5542) show up in the most compromised merchant categories. But this history, combined with the extended deadline for gas stations to become EMV compliant, has led to them being an even bigger and easier target for hackers.

We often hear about the hundreds of data breaches that hamper organizations every year and the impact cybercrime has on merchants, financial institutions and consumers. But rarely do we see the criminals behind these attacks identified by law enforcement, and it is an even rarer sight to see these criminals brought to justice. For many cases involving a data breach, it can take years to gather enough evidence for law enforcement to move forward with an investigation.

Welcome to the second part of our blog series on cybersecurity and foreign affairs. Last week, we covered the recent data breaches and security incidents involving Russian-based hackers that have targeted organizations here in the United States, including the Internal Revenue Service (IRS) and the White House. 

In 2014, over 1 billion records were stolen due to data breaches and other security-related incidents. Some of the most well known brands here in the United States were the target of cyberattacks, making it nearly impossible to not be affected, or know of someone who had been.

While the breadth of data being stolen in breaches has reached critical mass, the most valuable still remains payment card data - which is why many hackers still target it directly. Wondering how they do it? Follow along as we dive into the different ways fraudsters steal card information and how they then use it.