Rippleshot Blog

In early September, New York Governor Andrew Cuomo introduced new regulation that would make the state the first in the nation to enforce a cybersecurity program for financial institutions. While some have compared the regulation to the FFIEC (Federal Financial Institutions Examination Council)’s Cybersecurity Assessment Tool and guidelines, the proposed regulation would actually go much farther in its quest to ensure all financial institutions in NY are prepared for and are doing their best to prevent cyber attacks.

2 years ago, security professional and evangelist David Holmes dubbed 2014 as the “The Year of the Mega-Breach”, and reasonably so, as multiple headlines featured news of massive data breaches at Home Depot, J.P. Morgan Chase, and eBay. However, the following year had a roster of mega-breaches that made the previous year’s incidents pale in comparison, causing the term to quickly become obsolete. After a holistic review of the data breaches that have occurred throughout the current year, the Rippleshot Team has decided to resurrect the concept- with a little twist. Follow along as we discuss why 2016 is “The Year Of The SMB Breach”, how data breaches can be catastrophic to small to mid-size businesses (SMBs), and what implications SMB breaches have for the overall cybersecurity industry.

Bad news. Ransomware is back with a newfound vengeance. Many of us know ransomware to be a notorious form of malware that prevents users from accessing their own systems, either by locking a user from a system entirely (locker ransomware), or encrypting user files on an affected system (crypto-ransomware). In either case, users are forced to pay a ransom in order to restore functionality and access, many times to the tune of thousands of dollars. Although ransomware dates back to 1989, its practice has ebbed and flowed in its prevalence over the years. However, it is clear that 2016 has seen a marked increase in the frequency, cost, and effectiveness of ransomware incidents. Follow the Rippleshot Team as we document the return of ransomware and its impact on the cybersecurity landscape of 2016.

“Those who cannot remember the past are condemned to repeat it”.

This quote couldn’t hold more true when it comes to the EMV liability shift in America. Cybersecurity experts are perplexed regarding the future, scrambling to find clues in order to predict the who, what, when, and why of the EMV roll-out. What they don’t know is that the answers may actually lie within the past, or across the Atlantic Ocean. Most Americans are quick to forget that we were actually one of the latest to adopt the EMV standard, following suit after Africa, the Middle East, Asia, Latin America, and almost all of Europe. So when it comes to painting a picture of the aftermath that will result from widespread adoption of EMV protocols, why don’t we examine our international counterparts more closely? Join us as we discuss European history surrounding EMV adoption, fraud trends that will carry over to America, and the implications of widespread EMV implementation in our latest infographic: The Evolution of European Card Fraud.

Chip-card hacking has most likely been around longer than you think. Commonly known as the EMV standard, which represents the card network consortium of Europay, Mastercard, and Visa, the chip-based card technology has been widely adopted in virtually every global market (except for the U.S. until recently). EMV was born in 1994, when the three international payment systems sought to develop a global chip specification for payment systems, and the first production version was released in 1996. By embedding a secure chip into a plastic payment card, EMV technology enhances the overall security of debit/credit cards, overshadowing the effectiveness of the traditional magnetic stripe-and-swipe. In addition to replacing the outdated signature with a more secure PIN (personal identification number), the chip card utilizes cryptographic processing to create an ID that is unique to every transaction, as opposed to displaying sensitive account and payment information. However, the common misconception is that EMV is the “be all, end all” of payment security- this couldn’t be further from the truth. Find out how chip-card hacking has evolved from a replacement of internal hardware to sophisticated ATM shimming software as the Rippleshot Team explores the history of chip-card hacking.

We have a good idea of the short-term consequences of data breaches- lawsuits, chargebacks, etc. But what about the long-term? A recent research report published by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston sought to find a conclusive answer, leveraging consumer perceptions surrounding Target’s data breach as a case study. By examining longitudinal data on 1,908 US adults from results of the Survey of Consumer Payment Choice (SCPC), the report took advantage of a naturally ripe environment for experimentation, as some respondents were asked to rate payment instrument security before the Target data breach became public knowledge, and others answered the survey after news of the breach became widespread. Although the research has merit in identifying the inelastic behavior of consumers regarding payment instrument usage, it fails to address how data breaches contribute to costly card-reissuance and false-positive declines for banks and credit unions.

The aftermath of headline-grabbing data breaches at deep-pocketed retailers is almost always characterized by litigants of all sizes lining up to seek reparation for their legal injuries. These litigants can come in the form of disgruntled financial institutions, who demand compensation for breach-related expenses, or unhappy consumers who have suffered from theft of personal/ financial information and unauthorized charges on their accounts. Although consumer class-action lawsuits are a dime a dozen, they typically do not fare well in court, as courts generally conclude that their losses are covered in full by banks. On the other hand, financial institutions have a much easier time proving the costs associated with data breaches, such as card reissuance and reimbursement on fraudulent transactions. Follow along as we discuss the most recent data breach lawsuits including Target, Home Depot, and Wendy’s, and their effect on consumers, financial institutions, and retailers.

The landscape of fraud between 2015 to 2016 is best characterized as uncertain and dynamic. As government institutions such as the CFPB and FFIEC begin to play a bigger role in cybersecurity regulation, it has yet to be seen what data security protocols will be required of financial institutions. Also, pending legislation in Congress surrounding data security has the potential to determine federal standards of information security for merchants. Finally, with back-and-forth lawsuits between retailers, payment card networks, and issuers over disputes regarding EMV compliance and liability shift, nobody is exactly sure who will come out on top.

At Rippleshot, we understand how difficult it can be to juggle so many moving parts and develop actionable insights from them. That’s why we created a timeline for you to get up to speed on recent developments in card fraud and payments security.

A fiery debate has resurfaced between financial institutions, merchants, and consumer groups regarding the Data Security Act of 2015. The bipartisan bill introduced to Congress as H.R. 2205 by Representatives Randy Neugebauer and John Carney on May 1st, 2015 explicitly states two purposes: “to establish strong and uniform national data security and breach notification standards for electronic data” and “to expressly preempt any related State laws in order to provide the Federal Trade commission with authority to enforce such standards for entities covered under this Act.”

Last year was a rollercoaster for the payments industry. An influx of mobile payment platforms, the start of EMV adoption, and a pack of criminals exploiting all of these uncertainties with a continued string of high profile data breaches has many fraud managers stressed beyond belief trying to manage it all. If it’s any consolation, Trustwave’s Global Security Report confirms that you’re not alone. Follow along as we highlight some of the report’s key insights on attacks, how they’re happening and what data criminals are targeting.

It’s been nearly a year since the Federal Financial Institutions Examinations Council (FFIEC) debuted the Cybersecurity Assessment Tool, commonly known in the industry as the CAT. At last week’s ABA Risk Management Conference, we learned a ton about the tool’s voluntary nature, how it compares to existing cybersecurity assessments, and how banks are passing the regulatory scrutiny onto their own vendors and third-party providers.