Tag Archives: credit card

card

Chip Cards Will Cut Cyber Fraud — for Now

Visa has released data showing adoption of Visa chip cards by U.S. banks and merchants is gathering steam.

But the capacity for Europay-Mastercard-Visa (EMV) chip cards to swiftly and drastically reduce payment card fraud in the U.S. is by no means assured.

Just look north to Canada, where EMV cards have been in wide use since 2011. Criminals have simply shifted fraudulent use of payment card accounts to online purchases—where the physical card does not come into play. Security and banking experts expect a similar pattern to play out in the U.S., where banks and merchants are under an October 2015 deadline, imposed by Visa and MasterCard, for adopting EMV systems.

Free resource: Putting effective data risk management within reach

Heeding that deadline, major retail chains and big banks are driving up adoption numbers in the U.S. However, thousands of small and mid-sized businesses continue to remain on the fence.

SMBs slower to switch

SMBs are methodically assessing the risk vs. reward of racing to adopt EMV, Brian Engle tells ThirdCertainty. Engle is executive director of the newly founded Retail Cyber Intelligence Sharing Center, or R-CISC.

Brian Engle, Retail Cyber Intelligence Sharing Center executive director
Brian Engle, Retail Cyber Intelligence Sharing Center executive director

 

Company decision-makers are doing their due diligence, factoring in the potential for fraud, the cost of implementing EMV technology and the risk of chargebacks, he says.

“From a transactional volume perspective, some are going to accept risks and move at a rate that’s more appropriate for the size of their organization,” Engle says.

There’s no question the U.S. is in EMV saturation mode. As of the end of 2015, Visa tells us:

  • The volume of chip transactions in the U.S. increased from $12.1 billion in November to $15.8 billion in December, a 30% pop.
  • Seven out of 10 Americans now have at least one chip card in their wallet.
  • 93% of consumers are aware that the transition to EMV is happening.

Cryptogram makes things more complicated

Unlike magnetic-stripe cards, EMV cards are more difficult to counterfeit because the chip contains a cryptogram. When the card is inserted into the point of sale (POS) terminal—vs. being swiped—the cryptogram creates a token that’s unique to each transaction, and all the information is encrypted as it’s transmitted to the terminal and the bank.

This process actually takes a few seconds, during which the consumer must leave her card inserted in the POS terminal. U.S consumers are in the process of modifying their behavior at the checkout stand. Patience for a few seconds is required. Those precious seconds of inconvenient waiting represent an investment in tighter security.

But not as tight as when you use a chip card in Canada or Europe. That’s because EMV cards not only generate a one-time authorization token, they are also designed to require the user to enter a PIN as a second factor of authentication. However, PIN compliance was not part of the October 2015 deadline. Thus, most EMV in-store transactions in the U.S. still require only a signature, which, of course, any impostor can forge.

Criminals, on the other hand, won’t be able to hack into store networks and steal any useful transactions data, at least not any in which chip cards were used.

“Even if you steal the information, it becomes very difficult to use it. You’d get a long string of letters and numbers that can’t do anything,” explains Ben Knieff, senior analyst for retail banking at Aite Group, an independent research and advisory firm that specializes in financial services.

Criminals reportedly were able to breach Wendy’s customer magnetic strip payment card data, recently. That data breach was disclosed after numerous stolen card numbers were subsequently used at other merchants, and the trail led back to Wendy’s.

This kind of credit card fraud is exactly why U.S. financial institutions are migrating from the magnetic-stripe cards to new technology that uses a much more secure chip.

Aite Group estimates that EMV will significantly reduce U.S. counterfeit card fraud—from an estimated peak of $3.61 billion in 2015 to $1.77 billion in 2018.

Scott Schober, Berkeley Varitronics Systems Inc. president and CEO
Scott Schober, Berkeley Varitronics Systems Inc. president and CEO

 

Even so, the technology is not foolproof because bad actors can use other tricks. “The EMV technology is still hackable,” says Scott Schober, president and CEO of Berkeley Varitronics Systems Inc., which specializes in wireless threat detection. “However, hackers are going to go after the simple hack.”

Identity theft experts anticipate that fraudsters will simply shift their attention to merchants that use mobile payments—or don’t use a physical POS terminal at all.

“For bad actors, when one avenue dries up, they will look for other ways,” says Numaan Huq, a Canada-based senior threat researcher with Trend Micro’s Forward-Looking Threat Research Team.

Some transactions safer than others

In Canada, where point-to-point encryption is now standard for retailers, Huq says he feels very safe when using a credit card in stores. But at places like hotels? Not so much.

That’s because hotels collect credit card information for reservations, and, when that system is hacked, all the data is compromised. The same goes for various service providers, like medical offices.

“Bad actors will find new avenues, and I expect, over time, the fraud levels (in the U.S.) will go up again,” Huq says.

That’s what happened in Canada, the U.K. and other countries that have adopted EMV. Canada, for example, saw a 54% decline in counterfeit cards and 133% jump in “card-not-present” (CNP) fraud between 2008 and 2013, according to Aite Group research.

“In the past, most of the tools hackers used were extremely crude,” Schober says. “But advances in technology are making it much easier to compromise people online.”

Aite estimates that CNP fraud in the U.S. will grow from $2.9 billion to $6.4 billion, as hackers shift their tactics.

But, Knieff says, criminals have one thing going against them—online credit card fraud is not a scalable “business.” Criminals can’t buy 40 TVs from Amazon.com, for example.

“Application fraud—using stolen or synthetic identities to open new accounts … becomes much more attractive,” he says. “Yes, CNP will increase, but it will not increase geometrically because it’s hard to scale.”

Many organizations may not even be ready to focus on securing their online systems. Engle, of R-CISC, uses a hockey analogy, saying retailers are “trying to skate to where the puck is going.” That is, at the moment they’re still trying to figure out the transition to EMV.

SMBs particularly vulnerable

In the meantime, smaller businesses face an increased risk.

“The fraudsters will utilize POS malware until they can’t, and those smaller retailers are going to continue to be in their cross-hairs,” he says. “The ability to affect small retailers at a high rate is very profitable for them.”

Attacks on large retailers take a lot more time and resources, Huq says.

“A small mom-and-pop shop is a no-brainer to hit,” he says, adding that mobile payments, especially, are a concern because of proliferation of malware, particularly for Android systems.

“It’s easy to use for small businesses because it costs less,” he says. “But in the future, I think this will be a new way for bad actors to steal credit card data.”

This post was written by Rodika Tollefson.

Google

What We Can Learn From Google Compare

“The Google Compare service itself hasn’t driven the success we hoped for.” Google Compare announced in an email to its partners that it would be shutting its insurance and financial products comparison service tools in the U.S. and U.K. as of March 23. The lack of traction in both usage and revenue generation were named as two key reasons. Those were the headlines across the industry this week. So Google Compare is done – for now.

This is big news for the insurance industry, which has spent the last year figuring out how to shield itself from the potential impact that the tech giant would make. It turns out Google didn’t make much of a splash after all. In addition to insurance, Google is backing out of credit cards, banking and mortgage products. Google said  it is shutting down for now and focusing on “improving the customer experience.” Maybe Google will be back in a year, maybe five years, but what can we learn from it now?

When Google Compare was launched in the U.S. last year, it took the industry by storm. The agent/broker ecosystem was skeptical of any success, but they were also fearful – given Google’s size, wealth and talent. Could Google disrupt personal auto quoting?

What the agent/broker ecosystems did was to keep their (potential) enemy close by understanding what they were doing. They watched and hoped for failure. Meanwhile, a handful of insurers signed up to be part of the California launch: those insurers who could easily connect to the Google platform and wanted to be part of a potential success. And these companies had to explain their actions to their agents – who were in the wings watching and waiting to see what would happen.

I have my own thoughts on why Google Compare failed this first go-around. First, consumers can get these quote comparisons elsewhere – insurers already do this. Next, maybe customers just aren’t quite ready for self-service compare engines – but by all accounts, they soon will be. I don’t think Google underestimated the complexity of insurance, nor do I think it underestimated the consumer. I think, probably, that the timing was off, and Google didn’t differentiate itself from existing solutions with comparative raters. Google probably lacked some of the innovation that would have been needed to differentiate itself from others in the market.

Google Compare, like many start-ups, has failed, at least for now. At SMA, we talk all the time about how there is an innovation journey and how even the best-laid plans will sometimes fail. Part of the journey is learning through failure and then coming back better than ever. This is especially true in insurance. The industry is complicated. It’s complex and heavily regulated. It experiences slow growth, a slow pace of change and relatively small profits. And it requires lots of resources, cash and expertise committed for a long time before it pays off. SMA research shows 88% of insurers understand that innovation projects may fail. Part of that acceptance indicates a growing ability to learn from failure.

So where do you place your bets moving forward? Will Google Compare opting out of insurance cause new disruption? Will new solutions move in to fill the void?

Many will place their bets on strong incumbents and today’s ecosystem. Insiders believe that, with Google Compare moving out, it will become unappealing for outsiders to move in and try to understand it, saying the barriers to success are too high. Others will say that something will come to disrupt and challenge the traditional ways of the comparative raters and that outsiders, with their naivete and innovative thinking, will find a pin hole in the ecosystems and exploit the market.

Either way, the wonderful thing about innovation is that it is the essence of change. The only constant is change. Things happen so quickly. Innovation can flip an industry on its side overnight. Google Compare isn’t going away forever; it is just shutting the blinds. While this may be a small win for the establishment insurers who viewed Google’s entry as a threat, it doesn’t mean these organizations should rest on their laurels. The time is now to innovate, fill a void and improve overall services. Finally, failures and what we learn from them serve to set the ground work for change and innovation. It is part of the innovation journey to improve and adapt. As we continue this year, I am confident there will be more changes to the industry … so stay tuned.

Demystifying “The Dark Web”

We often hear reference to the “deep” or “dark” web. What exactly is the deep or dark web? Is it as illicit and scary as it is portrayed in the media?

This article will provide a brief overview and explanation of different parts of the web and will discuss why you just might want to go there.

THE SURFACE WEB

The surface web or “Clearnet” is the part of the web that you are most familiar with. Information that passes through the surface web is not encrypted, and users’ movements can be tracked. The surface web is accessed by search engines like Google, Bing or Yahoo. These search engines rely on pages that contain links to find and identify content. Search engine companies were developed so that they can quickly index millions of web pages in a short time and to provide an easy way to find content on the web. However, because these search engines only search links, tons of content is being missed. For example, when a local newspaper publishes an article on its homepage, that article can likely be reached via a surface web search engine like Yahoo. However, days later when the article is no longer featured on the homepage, the article might be moved into the site’s archive format and, therefore, would not be reachable via the Yahoo search engine. The only way to reach the article would be through the search box on the local paper’s web page. At that time, the article has left the surface web and has entered the deep web. Let’s go there now…

THE DEEP WEB

The deep web is a subset of the Internet and is not indexed by the major search engines. Because the information is not indexed, you have to visit those web addresses directly and then search through their content. Deep web content can be found almost anytime you do a search directly in a website — for example, government databases and libraries contain huge amounts of deep web data. Why does the deep web exist? Simply because the Internet is too large for search engines to cover completely. Experts estimate that the deep web is 400 to 500 times the size of the surface web, accounting for more than 90% of the internet. Now let’s go deeper…

THE DARK WEB

The dark web or “darknet” is a subset of the deep web. The dark web refers to any web page that has been concealed because it has no inbound links, and it cannot be found by users or search engines unless you know the exact address. The dark web is used when you want to control access to a site or need privacy, or often because you are doing something illegal. Virtual private networks (VPNs) are examples of dark web sites that are hidden from public access unless you know the web address and have the correct log-in credentials.

One of the most common ways to access the dark web is through the Tor network. The Tor network can only be accessed with a special web browser, called the Tor browser. Tor stands for “ The onion router” and is referred to as “Onionland.” This “onion routing” was developed in the mid-1990s by a mathematician and computer scientists at the U.S. Naval Research Laboratory with the purpose of protecting U.S. intelligence communications online. This routing encrypts web traffic in layers and bounces it through random computers around the world. Each “bounce” encrypts the data before passing the data on to its next hop in the network. This prevents even those who control one of those computers in the chain from matching the traffic’s origin with its destination. Each server only moves that data to another server, preserving the anonymity of the sender.

Because of the anonymity associated with the Tor network and dark web, this portion of the Internet is most widely known for its illicit activities, and that is why the dark web has such a bad reputation (you might recall the infamous dark web site, Silk Road, an online marketplace and drug bazaar on the dark web). It is true that on the dark web you can buy things such as guns, drugs, pharmaceuticals, child porn, credit cards, medical identities and copyrighted materials. You can hire hackers to steal competitors’ secrets, launch a DDOS (distributed denial of service) attack on a rival, or hack your ex-girlfriend’s Facebook account. However, the dark web accounts for only about .01% of the web.

Some would say that the dark web has a bad rap, as not everything on the dark web is quite so “dark,” nefarious or illegal. Some communities that reside on the dark web are simply pro-privacy or anti-establishment. They want to function anonymously, without oversight, judgment or censorship. There are many legitimate uses for the dark web. People operating within closed, totalitarian societies can use the dark web to communicate with the outside world. Individuals can use the dark web news sites to obtain uncensored new stories from around the world or to connect to sites blocked by their local Internet providers or surface search engines. Sites are used by human rights groups and journalists to share information that could otherwise be tracked. The dark net allows users to publish web sites without the fear that the location of the site will be revealed (think political dissidents). Individuals also use the dark web for socially sensitive communications, such as chat rooms and web forums for sensitive political or personal topics.

Takeaway

Don’t be afraid – dive deeper!

Download the Tor browser at www.torproject.org and access the deep/dark web information you have been missing. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. That said, because your data goes through several relays, it can be slow, so you might experience a more sluggish Internet than usual. However, preserving your privacy might be worth the wait. If you are sick of mobile apps that are tracking you and sharing your information with advertisers, storing your search history, or figuring out your interests to serve you targeted ads, give the Tor browser a try.

economy

3 Questions About On-Demand Economy

Last year, as Airbnb’s $25.5 billion valuation surpassed Hilton Hotels’ and Uber became the world’s most valuable privately owned company, it became clear the on-demand economy is no passing fad but is, in fact, a force to be reckoned with.

The on-demand marketplace is growing at a dizzying pace as new companies emerge daily, helping connect a diverse workforce of tradespeople, licensed professionals and unskilled laborers to a market of willing buyers through the company’s platforms. Intuit projects the population of U.S. on-demand workers will more than double by 2020, which means that, if you can’t already summon a doctor, lawyer, babysitter or dog walker right now via an on-demand app, then sit tight—they’re coming soon to a smartphone near you.

But the scale and speed of the on-demand economy’s growth also means policymakers, regulators, insurers and on-demand companies will have to huddle quickly to resolve the issues that arise with this expanding marketplace and its workforce. Here are the three key questions we need to address immediately:

  1. When the safeguards of the traditional corporation no longer exist, how do we protect the on-demand workforce?

Uber is currently appealing a case it lost against the California Labor Commissioner last summer regarding whether a driver is an independent contractor or an employee. While establishing this distinction is a critical issue, we still need to address some big questions about the vast self-employed workforce in the on-demand economy.

A good primer question: How do we get the information we need to make informed policy decisions? Independent contractors in the on-demand economy are classified as part of a larger pool of temporary, seasonal, part-time and freelance workforce called “contingent” workers. A 2015 U.S. Government Accountability Office report cites this workforce as somewhere between less than 5% and more than one-third of the country’s overall labor pool. The big gap in this measurement is because it depends on how jobs are defined and on the data source; the broad definitions and lack of clear data on this workforce makes on-demand independent contractors and their needs tough to track and evaluate. How much of this workforce depends on this income for supplementary purposes as opposed to relying on this income as a full-time living?

According to Intuit’s study, contingent workers will make up 40% of the U.S. workforce by 2020. That’s a lot of people working without the safeguards provided by the traditional corporation—guaranteed minimum wage, steady income, unemployment insurance, healthcare, workers’ compensation and disability insurance. What kind of safety nets do we need to put in place to protect this workforce? And what does this growing workforce mean in terms of policy development? How does the social contract change?

  1. How should we regulate hybrid commercial/consumer activities?

A sticky issue surrounding the on-demand economy is how to regulate commercial activities that are conducted by individuals rather than by traditional businesses.

While some argue that an Airbnb property should be as heavily regulated as a hotel if a host is accepting payment for lodgings, drawing an apples-to-apples comparison between the two is a challenge. For example, treehouses, yurts, igloos and lighthouses were among the top-10 most desirable vacation destinations on Airbnb shopper’s wish lists last year, some fetching upward of $350 a night. Who exactly should you call about making sure the igloo is up to code before guests arrive?

Some of the services and products offered by the individual through on-demand platforms have never been available through traditional enterprises; they’re unique, intimate experiences and, before on-demand platforms made them accessible, were difficult to find. We’re entering a new frontier where many tourists covet a culinary experience they can book at a local’s house via apps such as Feastly or Kitchensurfing rather than a fine dining restaurant, or they prefer offbeat accommodations booked through Airbnb to a 5-star hotel. We can’t assess how to best regulate these individual commercial activities until we have more data and understand the risks. How do we collect that data? How do we ensure the safety and protection of the individuals operating and participating in these activities until we have the information necessary to adequately regulate them?

  1. How can a square peg workforce function in a round hole system?

Mortgages, loans, credit cards, leases … these are just a few of life’s niceties (or necessities) that are challenging for an on-demand independent contractor to secure. Our current financial services, systems and policies were built to work for employees who collect a regular paycheck as well as freelancers who have reliable cash flow through long-term contracts and monthly retainers. Independent contractors working through on-demand platforms tend to rely on short-term gigs often generated through multiple sources, and they have difficulty predicting their day-to-day income, never mind their annual net or gross.

This isn’t a niche workforce. If independent contractors represent 40% of the U.S. working population in 2020, they’re significant drivers of the economy. They generate income and pay taxes; they need homes, cars, work equipment and all the other stuff that keeps their businesses running and makes their lives worth living. We can’t dismiss their needs, because we are measuring their 21st century income with a 20th century yardstick. How do we retrofit our round-hole systems to include this square peg workforce?

If we want a thriving economy in which people enjoy the benefits of the on-demand economy, and doctors, lawyers, drivers, plumbers and everyone else serving the on-demand marketplace have equal opportunity to succeed, then the time to talk about these questions and issues is now.

New Way to Lower Healthcare Costs

Managers are more likely to limit rental cars to $30 a day than limit an open heart surgery to $100,000 — for ethical and regulatory reasons, many executives steer clear of involving themselves in healthcare decisions, other than selecting the broadest possible network access. But few expenses that executives know so little about matter more than those involved in healthcare do.

This article speaks to a cultural shift that could provide tremendous impact for employers. They can now lower costs while also improving outcomes.

Until now, employers have used two main strategies:

–They offloaded costs to employees, hoping that giving them more skin in the game would reduce their spending on healthcare. But the continuing lack of transparency about healthcare costs, combined with costs that rose faster than employers shifted them, resulted in insurance picking up more cost and consumerism being driven down.

–Employers also invested in wellness programs. But wellness programs are most attractive to the already healthy. And they attempt to reduce how often enrollees encounter the system. But we know that everyone will encounter care at some point. It is each encounter’s volume and cost that is at the heart of this out-of-control system.

The new, better approach was demonstrated in a whirlwind, 48-hour trip I took with some incredible healthcare leaders.

First, we met with the executives of Rosen Hotels in Orlando, who have saved hundreds of millions of dollars compared with average employer healthcare costs. Rosen’s single-digit employee turnover would delight most employers, but it is spectacular in the hospitality industry. Rosen achieves this turnover with a benefit-rich plan most employees would drool over: e.g., no-cost prescriptions, $750 max hospital out-of-pocket.

How does Rosen accomplish this? First, its healthcare thinking is based on what it wants to achieve rather than what it has to provide. Beginning with the CEO, Rosen’s top executives really care about every one of their employees, as evidenced by the more than a few employees who have been there for 40-plus years. (Remember, this is a hotel chain, not a hedge fund with six-digit salaries). The strategies deployed vary, but they mainly support making the highest value care as accessible as possible.

Value—a fair return or equivalent in goods, services or money in exchange for something—is seriously lacking in American healthcare. Rosen took it upon itself to provide healthcare whenever and wherever possible, using its clout to lower costs. The company arranged special prescription drug discounts with Walmart. Rosen has on-site medical directors who personally engage with each employee’s health. The directors visit employees in the hospital and help arrange home delivery of costly specialty medications from lower-cost pharmacies. The company monitors and supports sick employees’ recovery and progress. It also built a health-and-wellness center for all employees and dependents with primary care, prescriptions, fitness instruction and more. I know all this sounds expensive, but the impact far outweighs the cost.

The second part of our adventure involved a flight to the Caribbean island of Grand Cayman, just south of Cuba, a beautiful tropical setting an hour-long flight from Miami (and with direct flights from a dozen other U.S. cities). The morning after our late arrival, we enjoyed the beautiful sunrise for exactly 20 seconds before we were bused to a facility called Health City Cayman Islands (HCCI). The single building on 200 acres (with significant future expansion plans) is clean, new and functional, though it is not nearly as grand as many U.S. mega-hospitals. Now two years old, HCCI is a joint venture between Ascension Health (a non-profit U.S. health system) and Narayana Health, a top Indian health system based in Bangalore. HCCI’s Indian roots are very important, because that country has no national healthcare or insurance system. The Indians have a novel approach to healthcare: You pay for it.

Narayana Health, which has achieved Joint Commission International (JCI) accreditation, performs a volume of procedures unprecedented in most hospitals. This volume is produced by a highly experienced team with quality outcomes that equal or exceed the best U.S. hospitals, but the team does it at far lower cost. Dr. Devi Shetty, Narayana’s founder and a cardiologist who has performed more than 25,000 heart surgeries, is focused on reducing the price of an open heart surgery to $800. (It currently sits around $1,400). Compare that with a 2008 Millman report that pegs U.S. open heart surgery costs around $324,000.

Some employers—Carnival Cruise Lines, for example—are so convinced of HCCI’s value (better health outcomes at far lower cost) that they will pay for all travel, including a family member’s accommodations for the length of a stay, and often waive an employee’s out-of-pocket costs associated with the procedure.

While HCCI’s pricing is higher than its Indian sister facility, many people could afford to pay for HCCI’s care with their credit card, if that were necessary.

HCCI charges a single, bundled fee that covers all associated costs, plus the cost of most complications — the director says, “Why should the patient pay for something if it was our mistake?” Compare that attitude with that at U.S. facilities, which have financial incentives to deliver as much care for as long as possible, and which get paid more if they make mistakes. HCCI’s upfront pricing model creates a serious incentive for efficiency and quality, because the facility is financially responsible for complications, infections and extra tests.

Patients and purchasers (i.e. employers and unions) should realize that nearly all U.S. healthcare—hospitals, doctors, drug companies and even insurance carriers—are structured to benefit from more care, rather than good, efficient or innovative care.

This means that purchasers and patients must use any available levers to get the best healthcare value they can. As Rosen and HCCI have proven, those levers are increasingly available.