The ugly truth is every business that accepts payments via credit, debit card, or ACH is the potential target for a data breach. It is one of the most stressful situations to find yourself in and can lead to a damaged reputation on top of financial repercussions. The key to security is multiple layers of defenses; this layered approach is critical today and incorporates your employees, bank, etc.
Cybercriminals are lurking and watching for weaknesses in your defenses. Below we will discuss these malicious actors, their motivations, your risks as a business, conventional strategies of attack, and the tools, policies, and features at your disposal. With this additional knowledge, we hope you may build or enhance your multi-layer defensive strategies.
Motivation: Why are they targeting businesses like yours?
The primary motivation for these malicious entities to target your business is simple, Money. They are looking for a means to make the most illicit gains, as easily and quickly as possible.
Fraudulent strategies take several forms. The most common focus is scrubbing lists of compromised card numbers to identify ones that remain active/viable, utilizing stolen cards to purchase tangible goods that are then resold on secondary markets. Businesses are targeted to compromise their points of purchase to steal card numbers and build new lists of card numbers.
Your risks: How do these strategies work? How might they harm your business?
Fraudulent Purchases: Traditionally, this strategy follows a pattern. A fraudulent entity makes contact with your business wishing to purchase some tangible products or materials. Once they have succeeded in having their order created, they utilize a previously compromised payment card to “pay” for these items and arrange shipping or pickup.
Typically, these entities will opt for the fastest delivery method, regardless of potential costs, as they intend to gain possession of the goods before their stolen card information is discovered.
Once they have received the products, they will immediately transfer them to unknown locations and resell them into secondary markets.
If your business falls victim to this form of attack, you won’t know until days or weeks after the materials have left your door. You’ll often receive a notice that the card used has been charged back and the funds debited back out of your company bank account. In these cases, you have lost the funds and the hard costs associated with purchasing those products from your suppliers.
Fraudulent orders are usually either for large quantities of products or for high dollar items, often resulting in businesses that fall victim to losing $10,000 or more.
Scrubbing Lists Of Compromised Cards: It seems a data breach makes the news cycle every month or so, and for every massive breach we hear about, hundreds of other smaller-scale compromises occur.
This myriad of ongoing breaches leads to tens of thousands of card numbers being stolen, bought, and sold on the dark web every day. But a list of compromised cards on its own has only limited value. This is because those entities buying and selling this list know that often a vast majority of cards on an unverified list have already been invalidated and will not work for new transactions.
If a malicious actor can winnow that list down to only those cards that remain active, this new list grows in value many times. It can be immediately resold at a profit or used in a second phase to complete fraudulent purchases/charges.
The best way to determine if a stolen card number is still active is to submit a transaction using that card and look at the result. If successful, then the fraudulent entity knows that card is still valid and valuable.
But, submitting these transactions must be done via a valid credit card processing account, and doing so incurs a communication fee. When attempting transactions to determine the validity of thousands of cards, these fees add up quickly. Furthermore, running thousands of transactions in a short time, the bulk of which are declined, will often lead to the processing banks flagging the credit card processing account and suspending it’s access to the processing networks.
These two factors explain why the malicious actors are looking to break through your walls and access your processing accounts. They don’t want to pay the fees or risk having the accounts they use in their scam shut down.
Suppose they do manage to compromise your processing systems. In that case, they may then execute their scheme, and your business is stuck staring down the resulting fees and operational interruptions as a consequence.
So what might this look like in dollars and cents? For the sake of example, let’s run a realistic, round number scenario below and find out.
Say one of these fraudulent actors finds a hole in your defenses and sets up a means by which they run a list of 10,000 cards through your processing account in hours/days. Depending on the specifics of the cards used, each attempt will likely result in your account being charged total transaction/communication fees of somewhere between $0.15 & $0.35. For the sake of this example, we will use $0.25 as the average fee your business incurs. As a result of this one failure in your defenses, your business is now looking at a bill of $2500. Additional expenses are likely as a result of an interruption to your ability to process legitimate transactions and the work involved with correcting and dealing with the fallout of the attack.
Compromising Point Of Payment Systems: This type of attack is used by those committing cybercrime to compromise valid cards in circulation and create new lists of card numbers for sale and use in schemes like those described above.
A successful attack often relies upon weakness and lack of vigilance on the part of businesses keeping their electronic payments systems up to date. There are many ways weakness can occur.
- Failure to run regular security updates/patches
- Insufficient of missing monitoring of computers and networks
- Lack of security policies for employees
- Failing to refresh physical payment devices to keep up with changing technologies
The Purchase Card Industry Data Security Standards (PCI-DSS) was created so businesses can measure themselves and their systems to ensure they are implementing the necessary security protocols to protect themselves from being a victim of this type of attack.
You can learn much more about the PCI standards, how they affect your business, and find valuable resources directly from the organization in charge of maintaining these standards, here.
Suppose you do fall victim to a breach of your payment systems. In that case, it represents a risk to your business’s reputation and a potential loss of clients/sales. Still, it may also result in significant financial loss due to fines, penalties, legal fees, and other costs.
The Enemy Is On The March and Looking For Weakness
Social Engineering: The term “Social Engineering” refers to a strategy by which cybercriminals don’t directly attack your software or hardware systems, but instead target your workforce. They may have access to the capabilities they wish to take advantage of.
This type of attack often relies on using your team’s emotions and habits against them and is one of the most effective weapons in a cybercriminals arsenal. This is because, somewhere in your organization, at least one person has access to your ordering, payment, or security systems.
One example might be a malicious entity contacting a member of your sales team so the criminal may place an order for a dozen laptop computers, which need to be overnight shipped to a remote office. Everyone has been instructed they will be working from home effective in two days.
- This story is designed by the criminal to elicit several powerful emotional reactions in your team member.
- Happiness at the opportunity to make a significant sale.
- Desire to complete the sale and earn a commission or other reward.
- Urgency to complete the transaction as quickly as possible.
- Empathy at the “tough” situation the criminal has found themselves in.
- Pride that they’ve turned to you and your organization to help them in their time of need.
These techniques are powerful and too easy to fall for if inexperienced. Teaching your team how to avoid this well-laid trap will help you prevent a data breach.
Unprotected Online Payment Tools: If your business employs an online product marketplace that allows customers to select, pay, and have items shipped to them or offer simple electronic payment of outstanding bills, these features may put you at risk if not implemented with proper security in mind.
An online marketplace that fulfills and ships client orders without oversight controls the amount of each order or number of items that can be purchased, elevates your risk of being the victim of fraudulent purchases.
A bill pay form which allows individuals to enter their card details and run a transaction, without first verifying their identity or knowledge of the specifics of their account with your business, is an unprotected target for a card scrubbing attack.
Compromise Of Payment System Login Credentials: If criminals gain access to your payment systems’ account credentials, they could hijack your processing account and increase their list of stolen credit cards.
As mentioned in the example above, even a relatively small list of 10,000 cards can easily result in $2500 or more fraudulent transaction fees for your business.
Outdated Hardware And Software: When the systems used to accept payment from customers are not maintained and updated regularly, they may open you to an attack designed to compromise the cards used by your customers and allow cybercriminals to generate new lists for sale and use across their criminal enterprises.
These updates and maintenance cycles are critical considerations for your payment software, the computers and networks through which the software communicates, and even the point of purchase devices designed to interact with the customer’s payment card.
What Defense Options Do I Have?
Your team is both your greatest security asset and liability.
Your team is the first line of defense that must remain vigilant to external and internal threats to the business. A touch of paranoia or suspicion is necessary for this day and age for every member of your team to maintain a state of constant vigilance.
Thus, it is important to give guidance and training to every team member on the threats they face, like suspicious urgency or out-of-character email requests. Not only these, and others mentioned above, but many more. Further, this training must not be a one-time occurrence, but something reinforced regularly.
In addition to regular training, supporting your team members to follow strict operational security policies is another vital component to assuring their success and the strength of your defenses. A couple of examples include:
- First-time purchase policies – Ensuring essential questions about the new customer are asked, answered thoroughly, and documented before allowing them to purchase a product. Such as, how did you find our business? Were you referred by one of our existing customers, and who? These policies should include limits on the quantity or dollar amount a first-time customer can purchase using ACH or Credit Cards. Any first time purchase over $2500 must be completed via direct wire transfer.
- Review purchase details before shipping product – Any purchase above a defined threshold of either quantity or amount should trigger a review. The review should be completed by someone other than the team member who facilitated the sale and doesn’t have any other red flags beyond the quantity or amount which triggered the review. These additional red flags may include
- First-time purchase
- Shipping address far from the address of payment used
- Expedited/Overnight shipping
- A short window from the first contact to date of purchase.
- Strength = Length: It can sometimes seem the key to a “strong” password includes numbers (7,8,9,0) and symbols (&%$!) because these additions are required for many of the password-protected systems you access today. Unfortunately, the inclusion of these additional character types only marginally improves the overall difficulty by which a person or program can guess or crack your password. But adding a letter to your password, going from 8 to 9 total characters, increases it’s strength significantly. As an example, the time it takes a computer algorithm to crack a 9 character password is only about 2 hours. Still, by adding a few keystrokes and making the password 12 characters long, the algorithm will take nearly two CENTURIES to crack with today’s computing power.
- Do not reuse passwords: A standard attack method involves scanning databases of previously compromised user credentials and attempting those on other systems. If you reuse your password, then you open yourself to this type of attack.
- Consider a password keeping system: You may find it helpful to use one of the many available password management systems. LastPass, Dashlane, 1Password, etc. These tools can generate unique passwords for you with each new account. Be sure the primary access to this tool is secured by both a long password, or better yet, a short sentence, aka Pass Phrase, and a second factor of authentication.
- Check out a recent rundown of free password managers here.
- 2FA (Two Factor Authentication) – Activating this function for all of your BNG Gateway users adds a further defense against any malicious actors that may obtain a user’s password and prevent account compromise.
- AVS (Address Verification System) – This free addition of your gateway allows you to configure preferences for the automatic rejection of credit card transactions whose authorizations return a result indicating the details provided by the payer do not fully match those registered to the card.
- I Spy Fraud – A paid service that allows you to define specific rules which may limit transaction attempts based on several properties. From originating IP address, attempts per time window, amount, and more.
- QuickClick or Simple Online Payment forms
- Required Fields
- Pair with AVS & I Spy
- QuickClick or Simple Online Payment forms
Physical Acceptance Devices
- EMV – Chip card payment technology: If you accept physical cards, but your system does not yet support inserting and reading a card’s chip, in addition to swiping the card, then your hardware is now out of date and should be upgraded.
- Point-2-Point Encryption (P2PE): This is the current gold standard for physical acceptance devices. With this technology, the customer information encoded on their card is encrypted within the card reader device itself, before transferring the wire to your computer or local infrastructure. This security feature ensures threats to your network, or computers cannot steal your customer’s card data.
- NFC – Contactless Payments: Another recent trend, contactless payment options on your physical acceptance devices, allow your customers the option of paying with a virtual card managed on the smartphone or via embedded chips in some payment cards.
Need help with gateway security?
This guide is meant to help you address any potential weak points within your business, but it’s only the beginning. If you want to implement any of these additional security features in your business and develop a dedicated multi-layer security approach, reach out to our support team with any questions @ firstname.lastname@example.org.