I remember when "Jaws 2" came out. The film’s slogan was, “Just when you thought it was safe to go back into the water.”
By the time you read this week’s "Friction Friday," if you're a merchant or an every day credit card user, you may feel like you're treading in deep, dark shark infested waters.
About 18 months ago, Insightful Accountant began writing about the on-boarding of EMV (EuroPay, MasterCard and Visa) technology within the United States. EMV are those fancy "chips" in your credits cards that now require special card readers, special software and a whole set of EMV compliance standards.
The promise of this new system rested in how much better it was in preventing credit card fraud. Foreign countries have been using EMV long before the United States, experiencing a fraction of the credit card fraud we experience now without EMV.
Then, we began hearing testimony before Congress by credit card security experts and EMV technology wizards that EMV probably wouldn’t impact fraud in the U.S. as much as elsewhere else.
In fact, David French, senior VP, Government Relations for NRF, said in a statement submitted to the House of Representatives’ small business committee that “the new EMV equipment does not stop breaches, in many cases it provides no significant benefits either to the business or to the business’ regular customers. It is merely an additional expense small businesses are being told to bear.”
At least nine to 10 different varieties of malware falling within three distinct malware family-types are associated with this new form of cyber criminality.
So, it appears that EMV is no better than what businesses had been using. But let’s assume for one moment that it is. Let’s assume that the new credit card terminals, even when you rule out the physical card skimming equipment that thieves have been able to attach to such devices, still are significantly better than the old way.
Well, the reality is that cyber criminals excel at a pace far greater than the ability of security experts to respond. As such, the issue of cyber credit card crime now has almost nothing to do with your physical credit card or the credit card terminal at all.
Are you ready to be rubbed raw?
Cyber criminals now are going straight to the software used to handle the transactions once your card is processed through the terminal.
More than 6,000 merchants with physical stores and online shops recently were found to be infected with malware in the form of a Javascript code that intercepts credit and debit card details and sends that information to the malware source. These credit card hackers are exploiting vulnerabilities in popular retailing and shopping cart software supporting merchants. Impacted merchants range from mom-n-pop stores, to major online retailers.
Many times, the malware comes attached to emails or other common sources of information. It then worms its way around your system until it recognizes retail credit-card processing software or online shopping-cart interfaces. Next, the code invades that system and begins relaying card payment data, even encrypted card data, to collection servers in various foreign countries, most notedly Russia.
These hackers have become experts in their ability to hide and disguise malware. At least nine to 10 different varieties of malware falling within three distinct malware family-types are associated with this new form of cyber criminality.
So, while online skimming is just like physical skimming, resulting in the theft of your credit and debit card details, the new online skimming threats are far more effective. Why? Because they are much harder to detect and nearly as impossible to trace.
If you're a merchant and you have reason to believe that your physical store’s retail merchant software or online shopping cart has been compromised, you'll need the assistance of a IT professional skilled in cyber security threat detection and elimination.
- Collect as much evidence as possible, because some of this malware will eliminate traces of themselves when they recognize signs of discovery. You may need this for civil litigation purposes.
- Your IT Professional should attempt to identify and analyze the root cause of the malware infection. Did it enter via an old security flaw or through some new unprotected route of weakness?
- Of course, you must also put a stop to the intruder activities, as well as prevent re-occurrences. In some cases, merchants have been re-infected even after their initial infection was resolved.
- Last but not least, report the ID theft. In most states, there is a requirement for businesses to advise their customers if personal financial data has been or is likely to have been lost or stolen. Companies that fail to comply with these requirements may be subject to both civil and criminal penalties.
So, if you're a merchant and you're saying to yourself, “I bought those new terminals and new software, and I’m still not protected,” you probably are thinking, “Just when I thought it was safe to take credit cards again…the cyber sharks have found a new way to bite me on the butt."