The ugly truth is every business that accepts payments via credit, debit card, or ACH is the potential target for a data breach. It is one of the most stressful situations to find yourself in and can lead to a damaged reputation on top of financial repercussions. The key to security is multiple layers of defenses; this layered approach is critical today and incorporates your employees, bank, etc.
Cybercriminals are lurking and watching for weaknesses in your defenses. Below we will discuss these malicious actors, their motivations, your risks as a business, conventional strategies of attack, and the tools, policies, and features at your disposal. With this additional knowledge, we hope you may build or enhance your multi-layer defensive strategies.
The primary motivation for these malicious entities to target your business is simple, Money. They are looking for a means to make the most illicit gains, as easily and quickly as possible.
Fraudulent strategies take several forms. The most common focus is scrubbing lists of compromised card numbers to identify ones that remain active/viable, utilizing stolen cards to purchase tangible goods that are then resold on secondary markets. Businesses are targeted to compromise their points of purchase to steal card numbers and build new lists of card numbers.
Fraudulent Purchases:
Traditionally, this strategy follows a pattern. A fraudulent entity makes contact with your business wishing to purchase some tangible products or materials. Once they have succeeded in having their order created, they utilize a previously compromised payment card to "pay" for these items and arrange shipping or pickup.
Typically, these entities will opt for the fastest delivery method, regardless of potential costs, as they intend to gain possession of the goods before their stolen card information is discovered.
Once they have received the products, they will immediately transfer them to unknown locations and resell them into secondary markets.
If your business falls victim to this form of attack, you won't know until days or weeks after the materials have left your door. You'll often receive a notice that the card used has been charged back and the funds debited back out of your company bank account. In these cases, you have lost the funds and the hard costs associated with purchasing those products from your suppliers.
Fraudulent orders are usually either for large quantities of products or for high dollar items, often resulting in businesses that fall victim to losing $10,000 or more.
Scrubbing Lists Of Compromised Cards: It seems a data breach makes the news cycle every month or so, and for every massive breach we hear about, hundreds of other smaller-scale compromises occur.
This myriad of ongoing breaches leads to tens of thousands of card numbers being stolen, bought, and sold on the dark web every day. But a list of compromised cards on its own has only limited value. This is because those entities buying and selling this list know that often a vast majority of cards on an unverified list have already been invalidated and will not work for new transactions.
If a malicious actor can winnow that list down to only those cards that remain active, this new list grows in value many times. It can be immediately resold at a profit or used in a second phase to complete fraudulent purchases/charges.
The best way to determine if a stolen card number is still active is to submit a transaction using that card and look at the result. If successful, then the fraudulent entity knows that card is still valid and valuable.
But, submitting these transactions must be done via a valid credit card processing account, and doing so incurs a communication fee. When attempting transactions to determine the validity of thousands of cards, these fees add up quickly. Furthermore, running thousands of transactions in a short time, the bulk of which are declined, will often lead to the processing banks flagging the credit card processing account and suspending it's access to the processing networks.
These two factors explain why the malicious actors are looking to break through your walls and access your processing accounts. They don't want to pay the fees or risk having the accounts they use in their scam shut down.
Suppose they do manage to compromise your processing systems. In that case, they may then execute their scheme, and your business is stuck staring down the resulting fees and operational interruptions as a consequence.
So what might this look like in dollars and cents? For the sake of example, let's run a realistic, round number scenario below and find out.
Say one of these fraudulent actors finds a hole in your defenses and sets up a means by which they run a list of 10,000 cards through your processing account in hours/days. Depending on the specifics of the cards used, each attempt will likely result in your account being charged total transaction/communication fees of somewhere between $0.15 & $0.35. For the sake of this example, we will use $0.25 as the average fee your business incurs. As a result of this one failure in your defenses, your business is now looking at a bill of $2500. Additional expenses are likely as a result of an interruption to your ability to process legitimate transactions and the work involved with correcting and dealing with the fallout of the attack.
Compromising Point Of Payment Systems: This type of attack is used by those committing cybercrime to compromise valid cards in circulation and create new lists of card numbers for sale and use in schemes like those described above.
A successful attack often relies upon weakness and lack of vigilance on the part of businesses keeping their electronic payments systems up to date. There are many ways weakness can occur.
The Purchase Card Industry Data Security Standards (PCI-DSS) was created so businesses can measure themselves and their systems to ensure they are implementing the necessary security protocols to protect themselves from being a victim of this type of attack.
You can learn much more about the PCI standards, how they affect your business, and find valuable resources directly from the organization in charge of maintaining these standards, here.
Suppose you do fall victim to a breach of your payment systems. In that case, it represents a risk to your business's reputation and a potential loss of clients/sales. Still, it may also result in significant financial loss due to fines, penalties, legal fees, and other costs.
Social Engineering:
The term "Social Engineering" refers to a strategy by which cybercriminals don't directly attack your software or hardware systems, but instead target your workforce. They may have access to the capabilities they wish to take advantage of.
This type of attack often relies on using your team's emotions and habits against them and is one of the most effective weapons in a cybercriminals arsenal. This is because, somewhere in your organization, at least one person has access to your ordering, payment, or security systems.
One example might be a malicious entity contacting a member of your sales team so the criminal may place an order for a dozen laptop computers, which need to be overnight shipped to a remote office. Everyone has been instructed they will be working from home effective in two days.
These techniques are powerful and too easy to fall for if inexperienced. Teaching your team how to avoid this well-laid trap will help you prevent a data breach.
Unprotected Online Payment Tools: If your business employs an online product marketplace that allows customers to select, pay, and have items shipped to them or offer simple electronic payment of outstanding bills, these features may put you at risk if not implemented with proper security in mind.
An online marketplace that fulfills and ships client orders without oversight controls the amount of each order or number of items that can be purchased, elevates your risk of being the victim of fraudulent purchases.
A bill pay form which allows individuals to enter their card details and run a transaction, without first verifying their identity or knowledge of the specifics of their account with your business, is an unprotected target for a card scrubbing attack.
Compromise Of Payment System Login Credentials: If criminals gain access to your payment systems' account credentials, they could hijack your processing account and increase their list of stolen credit cards.
As mentioned in the example above, even a relatively small list of 10,000 cards can easily result in $2500 or more fraudulent transaction fees for your business.
Outdated Hardware And Software: When the systems used to accept payment from customers are not maintained and updated regularly, they may open you to an attack designed to compromise the cards used by your customers and allow cybercriminals to generate new lists for sale and use across their criminal enterprises.
These updates and maintenance cycles are critical considerations for your payment software, the computers and networks through which the software communicates, and even the point of purchase devices designed to interact with the customer's payment card.
Your team is the first line of defense that must remain vigilant to external and internal threats to the business. A touch of paranoia or suspicion is necessary for this day and age for every member of your team to maintain a state of constant vigilance.
Thus, it is important to give guidance and training to every team member on the threats they face, like suspicious urgency or out-of-character email requests. Not only these, and others mentioned above, but many more. Further, this training must not be a one-time occurrence, but something reinforced regularly.
In addition to regular training, supporting your team members to follow strict operational security policies is another vital component to assuring their success and the strength of your defenses. A couple of examples include:
Passwords
Gateway
Physical Acceptance Devices
This guide is meant to help you address any potential weak points within your business, but it's only the beginning. If you want to implement any of these additional security features in your business and develop a dedicated multi-layer security approach, reach out to our support team with any questions @ [email protected].