Fraudsters make hay while sun shines, Payment system attacks

The holiday season is buzzing with spirited, less-careful consumers making billions of dollars of purchases. And fraudsters are looking to make hay while sun shines. Both online and offline, millions of consumers are in a hurry to shop for discounted goods as well as gifts for family and friends. Nothing wrong with that but with newer methods of mobile, app-based, and web based payments the complexity of the transactions and vulnerabilities are increasing. The combined effect is the following fraud attacks that have come to our notice.

Rare POS Botnet attack:

What is most alarming is that the attacks are coming to the POS - and these are advanced Point of sales botnets. This botnet is wrecking havoc now (has not been stopped) at merchants and restaurants. There have been POS attacks in the past, e.g., at Subway, but this Botnet is quite evolved. It is supposed to have compromised more than 20,000 payment cards since August, as per researchers from IntelCrawler. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. Researchers said that Botnet is controlling 31 machines that belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher than the number of machines. The attack is still on.

Prepaid cards attack:

Prepaid card is a great financial instrument especially for underbanked and unbanked. Businesses and government agencies are also increasingly using them because they are easier to cash than paper checks. In May of this year U.S. prosecutors said a global cybercrime ring had stolen $45 M from banks by hacking into credit card processing firms and withdrawing money in 27 countries through ATMs. More recently, JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July. The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. The warning only affects the bank’s UCard users, not holders of debit cards, credit cards or prepaid Liquid cards. Although the issues had been fixed (web server breach) but its important to know about it and be alert (if you have one of these cards) especially during this festive season where the informations stolen could be used.

Stores (online sales) attack:

A cyberattack happened at grocery stores recently in parts of Washington, Oregon, Montana and Idaho. Stores like Rosauers were asking its customers to pay with cash or check while its owners, URM Stores, were working to clear up the cyber attack. The attack was targeting credit and debit card users. The stores hit include Rosauers, Yokes, Super One and Trading Company, among other URM properties. The attack has now been blocked (3rd Dec, 2013).


So as a shopper, and an individual what can you do? Start with basic things so that you don’t facilitate social engineering such as not sharing your passwords, personal information on the internet and not messaging such details. You can read and learn more about it in this guide

Watch out a few other things as well - note that a card or payment fraud could happen in some of the following situations as well.

  • Don’t get carried away by free wifi. Fraudsters create seemingly safe free Wi-Fi hotspots in public places
  • They make you verify information disguising as a census or as an agency taking survey
  • Fetching personal information via social networks
  • Masquerading like a merchant providing an offer or discount

The entire payments value-chain needs to work hard to curb fraud

  1. Small retailers need to be aware of the real risk of card fraud when selling online and the simple steps they can take to protect against it. The safest way to take card details online is to use a fully hosted payment gateway. This means that when your customers hit ‘checkout’ they are redirected to a secure page run by the payment gateway, which is external to your website.
  2. Once considered the immaculate gold standard, the PCI DSS is being questioned and needs an upgrade - Many surveys such as the Ponemon study shows that 71% of businesses surveyed don't see PCI as strategic, is an indication that 71% have this modicum of common sense. It might also be due to the cost versus returns in terms of breaches curbed. The PCI Security Standards Council has recently published their change highlights getting ready for PCI-DSS 3.0, indicating new sub-requirements due to the growing maturity and increased security risks in the payment security industry since PCI-DSS inception in 2006.
  3. While PCI DSS focus only on cardholder data, this is not enough to ensure complete protection of information systems assets of an organisation as a comprehensive overview of information security based on security and audit compliance frameworks are required to offer a comprehensive security layer to the organisation data. Hence there is growing need to incorporate and integrate relevant security and internal control standards and frameworks along with PCI DSS to ensure holistic security to cardholder data.
  4. As the attacks get more sophisticated and advanced, the systems protecting us need to advance at the same pace. Infact soutions need to be a step ahead. Now DoS and DDoS denial of service attacks cause more damage and extract more revenue per DDoS attack, while reducing their own level of risk. So companies need to look at Dos detection and DDoS mitigation solutions (carrier agnostic) that do not require decryption of confidential data to protect global Internet assets against DDoS attacks
  5. The huge trails of data left behind by payment cards of all kinds has created new risks. Biometrics and new robust forms of authentication are being looked at
  6. At the POS the major initiative that is needed against counterfeit cards is EMV implementation. US has been slow to implement both terminals as well as EMV cards.
  7. E-retailers are responding to fraud with tighter transaction review and with a number of fraud monitoring tools and analytics
  8. VISA is coming up with better ways to Fraud detection. On October 2, 2013 VISA announced an upgrade to its Visa Advanced Authorization (VAA) technology that vastly improves the ability of its processing network to detect potential fraudulent activity in electronic payments.

To win the trust of the customers, payment eco-system players must enhance and safeguard against payment system attacks.