AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
Post-Target, Treasurers Take Proactive Measures
DALLAS—Fraud has always been a concern for treasurers, and in the post-Target environment, it has only become even more of a priority. At the latest meeting of AFP’s Treasury Advisory Group here in Dallas, practitioners discussed the new fraud issues they face, and the steps they are taking to address them, in the wake of the Target security breach.
One treasurer for a major retailer said that immediately following the Target breach, his company saw a huge spike in fraud on gift cards that customers can reload online. “We saw in a two-month period as much fraud as we typically see in a year,” he noted. “We didn’t have very sophisticated antifraud tools; we were just using basic stuff. The fraudsters’ sophistication level is to the point now where they are just blowing all of our protections away.”
Since then, the retailer has implemented a fraud scoring tool by security vendor ThreatMetrix for its e-commerce business. “Like a credit bureau score, it will score a credit card transaction,” the treasurer said. “You can just deny transactions that score too low. It looks at everything—whether you’re using a Yahoo address, what IP you’re coming from, how many times you’ve used that credit card, etc. It even looks at the type of device you are using.”
Another treasurer at the TAG meeting said that her company uses a similar tool for its prepaid products. “They are very effective; it’s amazing what they can do,” she said. “We picked it up through an acquisition of another company. That’s who they were using and had integrated. That’s how it came into our portfolio. But I’m going to go back and ask if they looked at it recently or thought about an RFP with other vendors.”
The first treasurer said that he has spoken to several of his retail peers and they informed him that they are also looking at technology vendors who offer similar fraud protections for their e-commerce operations. “If you’re an e-commerce business like Amazon, you’ve done this stuff years ago,” he said. “But if you’re not primarily an e-commerce merchant, you’ve been pretty vulnerable up to this point. It’s time to be more sophisticated.”
A third treasurer said that although his company has previously not addressed cyber risk, it is rethinking that approach. “The head of our IT security has been tasked with re-evaluating that,” he said. “Post-Target, the board has had conversations about it.”
The treasurer compared the Target breach to the TJ Maxx breach in 2007 that compromised more than 45 million credit and debit cards. “The compensation of those that were affected has changed dramatically,” he said. “It used to be a cash payout, which is pretty significant. Now it’s, ‘We’ll give you free credit monitoring, which you may or may not use.’ So that’s another thing that’s changed—the solutions to pay folks.”
New York’s Banks to be Held to Higher Cybersecurity Standards
The New York Department of Financial Services (DFS) will conduct cybersecurity assessments for the state’s banks, following the release of a report that revealed that cyberattacks are becoming more frequent, sophisticated and widespread.
The assessments will evaluate banks’ cybersecurity preparedness. Banks will be asked questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management and disaster recovery. The process is intended to provide a holistic view of banks’ cyber readiness.
Governor Andrew Cuomo said in a statement that the assessments aim to protect New Yorker’s finances in the face of growing cyber threats. “Targeted cybersecurity assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached,” he said. “When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take the proper precautions to safeguard it.”
The assessments follow a 2013 industry survey on cybersecurity, in which DFS polled 154 financial institutions on their cybersecurity programs, costs and future plans. According to banks, the greatest challenges to building an efficient cybersecurity program are the increasing sophistication of threats (71 percent) and emerging technologies (53 percent).
The majority of FIs experience intrusions or attempted intrusions into their IT systems in the past three years. Methods used included malware (22 percent), phishing (21 percent), pharming (7 percent), and botnets or zombies (7 percent).
The most frequent types of criminal activity resulting from a breach were account takeovers (46 percent), identity theft (18 percent) telecommunication network disruptions (15 percent), and data integrity breaches (9.3 percent). Both small and large institutions reported third-party payment processor breaches (18 percent and 15 percent, respectively). Large institutions also experienced mobile banking exploitation (15 percent), ATM skimming/point-of-sale schemes (23 percent), and insider access breaches (8 percent).
Due to the rising threats, most banks are upping their game when it comes to cybersecurity. DFS report found that 77 percent of all financial institutions increased their information security spending over the past three years. Most of the remaining institutions (18 percent) reported that that budget spending remained the same; virtually no banks reported a decrease. Fully 79 percent said they expect to increase information security spending in the next three years.
DFS has recommended that all New York State-chartered depository institutions become members of the Financial Services-Information Sharing and Analysis Center (FS-ISAC), in order to receive notifications and information tailored to help protect their systems against cyber threats.