As holiday mobile commerce breaks records, retail apps display security red flags

Driven by the pandemic, many consumers rely on mobile apps to buy everything from daily essentials to holiday gifts. However, according to a recent analysis, there are some alarming security concerns among some of the top 50 Android retail mobile apps. Retail mobile apps are missing basic security functionality Most of the top 50 retail mobile applications analyzed in September 2020 did not apply sufficient code hardening and runtime application self-protection (RASP) techniques. These security … More

The post As holiday mobile commerce breaks records, retail apps display security red flags appeared first on Help Net Security.

Holiday shopping season fraud stats revealed

There’s a 1% decrease in suspected online retail fraud worldwide during the start of the 2020 holiday shopping season compared to the same period in 2019, a 59% increase from the same period in 2018 and a 14% increase from all of 2020 so far, TransUnion research reveals. Holiday shopping season fraud stats The findings are based on the same-store sales analysis of e-commerce customers during the traditional start of the global holiday shopping season, … More

The post Holiday shopping season fraud stats revealed appeared first on Help Net Security.

PCI SSC updates standard for payment devices to protect cardholder data

The PCI Security Standards Council has updated the standard for payment devices to enable stronger protections for cardholder data.

pts poi standard

Meeting the accelerating changes of payment device technology

The PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements 6.0 enhances security controls to defend against physical tampering and the insertion of malware that can compromise card data during payment transactions.

Updates are designed to meet the accelerating changes of payment device technology, while providing protections against criminals who continue to develop new ways to steal payment card data.

“Payment technology is advancing at a rapid pace,” says Emma Sutcliffe, SVP, Standards Officer at PCI SSC. “The changes to this standard will facilitate design flexibility for payment devices while advancing the standard to help mitigate the evolving threat environment.”

Protecting PINs

Established to protect PINs and the cardholder data stored on the card (on magnetic stripe or the chip of an EMV card) or used in conjunction with a mobile device, PTS POI Version 6.0 reorganizes the requirements and introduces changes that include:

  • Restructuring modules into Physical and Logical, Integration, Communications and Interfaces, and Life Cycle to reflect the diversity of devices supported under the standard and the application of requirements based upon their individual characteristics and functionalities.
  • Limiting firmware approval timeframes to three years to help ensure ongoing protection against evolving vulnerabilities.
  • Requiring devices that accept EMV enabled cards to support Elliptic Curve Cryptography (ECC) to help facilitate the EMV migration to a more robust level of cryptography.
  • Enhancing support for the acceptance of magnetic stripe cards in mobile payments using solutions that follow the Software-Based PIN Entry on COTS (SPoC) Standard.

“Feedback from our global stakeholders, along with changes in payments, technology and security is driving the changes to this standard,” said Troy Leach, SVP at PCI SSC. “It’s with participation from the payments industry that the Council is able to produce standards that are relevant and enhance global payment card security.”

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks.

identity tech

FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase.

Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent saying they expect a moderate rise in fraud.

“While the convenience of real-time payments is great news for customers, increasingly, banks have zero time to clear a transaction or payment. AI can’t slow down the clock, but it can help create systems that are radically quicker to recognize a transaction that smells likely to be fraudulent,” said Dan McConaghy, president of FICO in Asia Pacific.

“Banks will need to move beyond passwords and OTPs and add biometrics, device telemetry and customer behavior analytics to keep up with the changing payments landscape.”

Authentication and identity tech

When asked which identity and authentication strategies they used, the majority of APAC banks have a strategy of multi-factor authentication (84 percent). They increasingly use a wide range of authentication methods including: biometrics (64 percent), normal passwords (62 percent) and in last place behavioral authentication (38 percent).

Interestingly, nearly half of the respondents (46 percent) are currently only using 1 or 2 of these strategies, potentially leaving them more exposed to attack vectors such as identity theft, account takeovers, cyberattacks.

“Why try to crack a safe when you can walk in the front door?” explained McConaghy.

“Criminals are trying to fool banks into thinking they are new customers or stealing account access by tricking people into making security mistakes or giving away sensitive information. When they are successful, criminals are making use of real-time payments to move funds quickly through a maze of global accounts.”

The survey bore this out with 40 percent of banks naming social engineering as the number one fraud concern when it comes to real-time payments. Account takeovers were ranked second, with false accounts and money mules also rated as problems.

New forms of biometric, multi-factor and behavioral technologies allow banks to stop payments being made, even if an account appears to be using the correct but stolen password or entering the right, but intercepted, one-time-password.

“Beyond this type of account take over, we also have authorized push payment fraud, such as when a customer is tricked into paying what they think is a legitimate invoice like a fake school bill or payment to a tradesperson,” said McConaghy.

“This type of social engineering is harder to stop but better KYC, link analysis to find money mule accounts and behavioral analytics to flag new accounts for a regular payee, are all examples of how to tackle it.”

Mitigating criminal behavior

Further to stopping fraud in real-time payment platforms, crimes such as drug trafficking, human smuggling, tax evasion and terrorism finance are also attracted to the irrevocable nature of instant payments.

The lack of visibility between jurisdictions has seen regulators encouraging banks to move quickly in this cross-border payments space to ensure payments are compliant and secure.

In terms of mitigating this criminal behavior, more than 90 percent of APAC banks surveyed thought that convergence between their fraud and compliance functions would be helpful in defending transactions on real-time payments platforms.

“We estimate that there is about an 80 percent overlap in software functionality between legacy fraud and anti-money laundering systems,” added McConaghy.

“To tackle fraud and money laundering schemes that exploit real-time money movement you need to leverage all the available technologies, automate as much as you can and introduce models that can identify outlier transactions and customer behavior so your teams can spend their time investigating the riskiest of the red flags.”

Facial recognition hardware to reach over 800 million devices by 2024

A new report from Juniper Research found that facial recognition hardware, such as Face ID on recent iPhones, will be the fastest growing form of smartphone biometric hardware. This means it will reach over 800 million in 2024, compared to an estimated 96 million in 2019.

facial recognition hardware

The new research, Mobile Payment Authentication: Biometrics, Regulation & Forecasts 2019-2024, however notes that the majority of smartphone facial recognition will be software-based, with over 1.3 billion devices having that capability by 2024.

This is made possible by advances in AI, with companies like iProov and Mastercard offering facial recognition authentication that is strong enough to be used for payment and other high-end authentication tasks.

Juniper Research recommends that all vendors embrace AI to drive further developments of capabilities and therefore increase customer acquisition.

Fingerprints to lead remote commerce authentication

The research also found that despite the ubiquitous nature of selfie cameras, fingerprint hardware will remain a dominant element in biometric payments, as sensors expand to emerging markets. Juniper Research anticipates over 4.6 billion smartphones worldwide will have fingerprint sensors installed by 2024, although their usage for payment will be significantly lower than this.

This expansion of biometric capabilities will bring the technology to more eCommerce platforms, as retailers seek to meet enhanced security requirements. Originally envisioned for contactless payment use, the report expects over 60% of biometrically-authenticated payments in 2024 will be for authorizing remote payments.

As the longest running biometric modality, fingerprint payments will take the lead in this market as standards coalesce around the technology more easily than for facial recognition payments.

“Many consumers are now used to making fingerprint-based biometric payments, both for contactless and remote payments,” remarked research author James Moar, a Lead Analyst at Juniper Research. “That familiarity and continued inclusion in smartphones will make it hard to displace in many markets.”

Nearly half of consumers worry about being tricked by fraudsters this holiday season

There has been a 29% increase in suspected online retail fraud during the start of the 2019 holiday shopping season compared to the same period in 2018, and a 60% increase in suspected e-commerce fraud during the same period from 2017 to 2019, according to iovation.

online retail fraud increase

The findings are based on the online retail transactions analyzed for its e-commerce customers between Thanksgiving and Cyber Monday over the last three years.

“Among the conclusions from TransUnion’s 2019 Holiday Retail Fraud Survey: nearly half of all consumers, 46%, are concerned with being victimized by fraudsters this holiday season with baby boomers being the most concerned of any generation at 54%,” said TransUnion Senior VP of Business Planning and Development, Greg Pierson.

Additional findings: Online retail fraud increase

The percent of suspected fraudulent e-commerce transactions during the start of the holiday shopping season and entire year compared to legitimate transactions for the past three years.

  • 15% from Nov. 28 to Dec. 2, 2019. 10% so far in 2019.
  • 13% from Nov. 22 to Nov. 26, 2018. 11% all of 2018.
  • 11% from Nov. 23 to Nov. 27, 2017. 7% all of 2017.

The top days during the start of the 2019 holiday shopping season for legitimate and suspected fraudulent online retail transactions.

  • Thanksgiving, Nov. 28: 16% of legitimate holiday weekend transactions (#5). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Black Friday, Nov. 29: 26% of legitimate holiday weekend transactions (#1). 25% of suspected fraudulent holiday weekend transactions (#1).
  • Saturday, Nov. 30: 19% of legitimate holiday weekend transactions (#3). 19% of suspected fraudulent holiday weekend transactions (#3).
  • Sunday, Dec. 1: 17% of legitimate holiday weekend transactions (#4). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Cyber Monday, Dec. 2: 22% of legitimate holiday weekend transactions (#2). 21% of suspected fraudulent holiday weekend transactions (#2).

The countries and U.S. cities where the highest percentage of suspected fraudulent e-commerce transactions originated from during the start of the 2019 holiday shopping season.

Country

  • China: 57%
  • Central African Republic: 57%
  • Lebanon: 45%

U.S. city

  • Boardman, Oregon: 70%
  • Pineville, Louisiana: 42%
  • Alexandria, Louisiana: 38%

online retail fraud increase

Mobile transaction and fraud trends

The survey also found that consumers used a mobile phone or tablet for 63% of their online retail transactions during the start of the 2019 holiday shopping season. That is up from 58% for the same period in 2018 and 56% for the same period in 2017.

For the holiday shopping weekend, retail transactions from a mobile phone compared to all e-commerce transactions were:

  • 64% on Thanksgiving, Nov. 28
  • 63% on Black Friday, Nov. 29
  • 67% on Saturday, Nov. 30
  • 66% on Sunday, Dec. 1
  • 57% on Cyber Monday, Dec. 2

“Year after year it becomes clear that when not at work, consumers increasingly prefer using their mobile devices to make retail purchases due to their convenience,” said iovation’s Senior Director of Customer Success, Melissa Gaddis. “Once at work when they’re at their desk, consumers turn to their desktop and laptop computers to make purchases.”

Always trying to emulate the purchasing patterns of trusted consumers, mobile is also the preferred method for fraudulent online retail transactions. A mobile phone or tablet appeared to be used for 63% of all suspected fraudulent e-commerce transactions during the long holiday shopping weekend compared to 59% from the same period in 2018 and 51% from the same period in 2017.

CPoC: New data security standard for contactless payments

The PCI Security Standards Council (PCI SSC) published a new data security standard for solutions that enable merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).

CPoC

PCI CPoC Standard

Using the PCI Contactless Payments on COTS (CPoC) Standard and supporting validation program, vendors can provide merchants with contactless acceptance solutions that have been developed and lab-tested to protect payment data.

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader,” said PCI SSC Standards Officer Emma Sutcliffe.

“Contactless, or tap and go, payment adoption is on the rise globally, and merchants want affordable, flexible and safe options for contactless payment acceptance that allow them to best serve their customers. In addition to PCI Software-based PIN Entry on COTS (SPoC) Solutions that enable contactless payment acceptance with a dongle attached to the mobile COTS device, the PCI CPoC Standard and Program now provide merchants the option to use validated solutions that require no additional hardware to accept contactless transactions,” said PCI SSC Senior VP Troy Leach.

CPoC

Standard security requirements

The PCI CPoC Standard includes security requirements for vendors on how to protect payment data in CPoC Solutions and test requirements for laboratories (labs) to evaluate these solutions through the supporting validation program.

CPoC

The central elements

The primary elements of a CPoC Solution include: a COTS device with an embedded NFC interface to read the payment card or payment device; a validated payment acceptance software application that runs on the merchant COTS device initiating a contactless transaction; and back-end systems that are independent from the COTS device and support monitoring, integrity checks and payment processing. Software-based PIN entry is not permitted in a CPoC Solution.

Through a combination of the security controls built into the merchant application and ongoing monitoring and integrity checks performed by the back-end systems, merchants and consumers can have confidence in the security of the CPoC Solution and the contactless transaction.

What do cybercriminals have in store for 2020?

As we look to 2020 and a new decade, cybersecurity will continue to be a top priority for businesses and consumers alike. To help organizations prepare for the next year and beyond, Experian released its forecast, which predicts the top five threats businesses and consumers should be aware of in order to keep their information safe.

2020 top five threats

“Hackers are continuing to become more sophisticated with the tools at their disposal to gain control of personal devices and business operating systems,” said Michael Bruemmer, Vice President at Experian Data Breach Resolution.

“There has never been a more important time for organizations to be equipped with the knowledge and resources needed to try to prevent and respond to a data breach.”

2020: Top five threats

Cybercriminals will leverage text-based smishing identity theft techniques to target consumers participating in online communities. As more Americans continue to join like-minded groups on social media to provide financial support to social causes or political candidates, cybercriminals can solicit unsuspecting consumers with fraudulent messages via SMS text to seek bank account details or other sensitive information.

Hackers will take to the skies to steal consumer data from devices connected to unsecure networks. As cities install more free public Wi-Fi systems, the more than one million drone devices operating in the U.S. today may be armed with affordable mobile hacking devices to steal sensitive data from consumers and businesses on the streets below.

Cybercriminals will use deepfake technology to disrupt the operations of large commercial enterprises and create geo-political confusion. Artificial intelligence technology can manipulate C-suite executives and government leaders’ appearance and voice to blur the lines of what is real and what isn’t.

Burgeoning industries, such as cannabis retailers and cryptocurrency entities will be targeted for cyberattacks as a result of online activism or “hacktivism.” As a form of protest, hackers may seek to gain access to controversial companies’ sensitive data due to their prevalence in society and increased cash flow.

Cybercriminals will execute a major hack of the mobile point-of-sale platforms used to process transactions. The proliferation of mobile payment options would allow cybercriminals to access payment data over unsecured networks and target large venues such as concerts or major sporting events.