Author Archives: hostmerchantservices

Hackers Steal Credit Card Data at Major Seafood Restaurant Chain

Individuals who have wined and dined at theme restaurants such as the Bubba Gump Shrimp Company and the Rainforest Cafe at least once since 2016 may want to review their credit and debit card statements. According to a notice posted by restaurant giant Landry’s shortly after New Year’s Day, hackers were able to inject malware into an internal system that operates separately from the point-of-sale (POS) network, but which nonetheless involved payment cards.

Before discussing details about this security incident, it should be noted that Landry’s POS system was not breached. In fact, the restaurant chain operates a system that not only encrypts data but also blocks all scripts it does not recognize which means that unrecognized malware would have no effect. There was another card-reader system affected, but not one used for payments. With this in mind, the scope of the incident is sharply reduced because the credit and debit cards that may have been intercepted were not supposed to be swiped in the targeted system anyway.

When you sit at table or at the bar of the Rainforest Cafe or Del Frisco’s Grill, you probably have noticed that servers interact with more than one card reader. There is the POS for payments, which is encrypted, but there is also an order-entry system that restaurant staff members access by means of swiping cards that often hang from lanyards around their necks for easy access. In some cases, servers carry a wireless tablet with from table to table; this portable card reader can be used to swipe Landry’s Select Club cards, a nice customer loyalty and rewards program.

Between payment cards, access cards, and customer loyalty cards, it would not be unusual to expect that busy Landry’s servers would, from time to time, get these cards mixed up, which is what happened in this case. Some debit and credit cards were inadvertently swiped to place an order from the table or from the bar to the kitchen; perhaps a MasterCard was swiped instead of a Landry’s Select Club card, thus depriving some customers of points that could have been redeemed for a frozen margarita or a free side order of Cajun shrimp.

Even though Landry’s operates more than 600 restaurants, only 60 locations were affected, and individual cases are limited because most servers employed by this chain are retained based on their ability to carry out their duties with precision. This does not mean that hackers are giving up on attacking point-of-sale systems; if anything, malware targeting card readers terminals is becoming more sophisticated. The intent to breach Landry’s was certainly there, but it did not work as hackers had hoped for.

What Is Synthetic Identity Fraud?

It feels like a never-ending race and a battle to one-up one another: the battle against fraudsters. While the equipment we have to detect and prevent these fraudsters has been improving substantially over the previous decade, fraudsters always seem to find a way to get through eventually.

One of the latest tactics is synthetic identity fraud, a unique type of fraud in which fraudsters combine fake and legitimate information to create brand-new identities rather than just stealing someone else’s identity.

We’re not talking about a lone wolf hiding in their basement trying to make a quick grab at what they can, either. These are the actions of large-scale criminal organizations that know exactly what they’re up to. They are sophisticated, methodical and patient, and right now as many as 85% to 95% of synthetic identity fraudsters are easily slipping through risk detection systems that are failing to notice them.

According to GIACT Chief Experience Officer David Barnhardt, “They are doing the same things we are: always evolving their tactics to meet the newest technology and offers out there. Whenever a new thing in security comes along, they come out and see if they can beat it.” He went on to say, “When I was working in banking, we knew for certain that with any new initiative we rolled out, we would be attacked for six months and would have to tweak our approach every day. What they’ve learned is that they don’t have to rob a bank in person – they can do it with malware, make more money and get away with it.”

Synthetic Identity Fraud Is Rising

When looking into GIACT’s analysis, as much as $6 billion was stolen by synthetic fraudsters taking legitimate, personally-identifying information in 2016 alone, and that amount has been rising in the years since.

By establishing synthetic identities, fraudsters can open bank accounts and cards and act as if they’re legitimate customers, allowing them to make purchases slowly and quietly at first, sometimes for as long as a year while they build strong credit scores, before then going all out.

How to Defeat Synthetic Identity Fraud

It’s unfortunate, but there aren’t really any special ways to get rid of identity fraudsters. It would seem like, for now at least, they’re here to stay. What we do have, though, are tips and tricks for fighting fraud. Always remember though – the fraudsters are always thinking outside the box and always trying to get a step ahead. Therefore the industry has had to keep on its toes and come up with many creative ways of keeping ahead of the fraudsters.

Bernhardt also commented upon the advantages that fraudsters have. Should the levels of data breaches someday get down to 0, there’s always going to be data that fraudsters will find useful on social media. With this data, it’s possible that fraudsters could put together a functional profile from which they could commit synthetic identity fraud.

Ultimately, there’s no special answer to making this problem go away. We just need to remain vigilant and do all we can and continue to evolve to keep the fraudsters at bay while protecting the security of sensitive information.

The Sand Dollar is a New Caribbean Digital Currency

Of all regions in the world, the Caribbean may seem one of the least likely to officially adopt digital currencies, but that is exactly what has been taking place this year. In October 2019, the Eastern Caribbean Currency Union launched a pilot program to turn the EC dollar into an electronic form of cash, which residents of eight island nations can now use through the DXCDCaribe mobile app. Not to be outdone by this technology advancement, the Bahamas has launched its own pilot program to go cashless before the end of 2019.

Project Sand Dollar went live just two days after people across the Bahamas celebrated Christmas with a traditional dinner of baked ham, rice and peas, and potato salad. Central bank officials explained that although there is a blockchain enabling the circulation of the sand dollar, which is pegged to the value of the Bahamian dollar, this is not a true cryptocurrency since it is centralized and does not allow mining.

There are certain initial restrictions in place for Project Sand Dollar. Individuals can only hold $500 sand dollars in their accounts, which are can be managed by means of a mobile app similar to the aforementioned DXCDCaribe. Business entities are limited to holding no more than $1 million, and the sum of monthly transactions may not exceed 1/8 of capital. Central bank officials see the sand dollar as being a natural progression in the sense that residents of the islands are not as enthusiastic about using banks as they used to.

Equal access to the banking system is something that the Bahamas and many other nations have curtailed through the enactment of anti-money laundering and “know your customer” legislation and regulations. In many jurisdictions, it is simply too late to reverse the effects of AML and KYC, which is why initiatives such as Project Sand Dollar are welcome since they can empower individuals who have been left out of the banking system, but who wish to make digital payments and money transfers.

As for the government of the Bahamas, financial regulators actually prefer to see digital payments taking place since they reduce the burden of physical currency controls and management. The goal is to get people used to holding sand dollars and generating quick response (QR) codes on their smartphones when they settle retail POS transactions or pay utility bills. The project will begin on the Exuma island and will later roll out to the Abaco islands. On the day the pilot program started the value of one sand dollar was equal to the United States dollar.

Chinese Hackers Were Successfully Able to Bypass 2FA

On December 19, the cyber security firm Fox-IT, which is headquartered in the Netherlands, reported that they discovered a previously-unknown infiltration of managed service provider and government computer systems in at least 10 countries, including the United States, Mexico, Brazil, the United Kingdom, France, Germany, Italy, Portugal and Spain. These systems covered a wide range of industries, including aviation, construction, energy, finance, gambling, healthcare, insurance, offshore engineering, payroll and HR services, physical lock manufacturing, software development and transportation. Fox-IT believes a Chinese government-funded hacking group managed to bypass two-factor authentication (2FA) to initially access and then spread through these systems.

What Is 2FA?

Two-factor authentication was designed to make it more difficult for hackers to access secure, private data. It requires that a user provide two unique forms of information to prove identification when logging into accounts. For example, a system might recognize a user by their physical hardware, via a unique linked code, coupled with a separate unique password. The user might input a memorized password or a one-time password generated by a separate piece of hardware called a token or password generator. In banking, 2FA occurs when a card holder uses their physical card with their unique PIN number at an ATM or during debit transactions. In point-of-sale software payment processing, a merchant or an employee uses 2FA when they sign into their point-of-sale software on a computer, a unique device, with a unique password.

Which Group Is Responsible?

Although many hacking groups supported by the Chinese government exist, Fox-IT has linked this event to a Beijing-based group called APT20. Security firms believe this group started in 2011. Since the Chinese government invests a lot of time and money into hiding their hacking groups, APT 2020 was able to keep a low profile during 2016 and 2017. Firms couldn’t track them until they slipped up in 2018. Fox-IT referred to the 2FA bypass as “Operation Wocao” after a member of APT20 used the Chinese curse word “wocao” in a final line of Windows command failure code when they realized that their actions had been detected and they couldn’t hack a system. The word aptly described both the frustration and shock felt by not only the hacker, but also Fox-IT techs who realized that the system and others had been hacked in such a rare fashion.

How Did They Do It?

This specific group typically uses the most basic hacking tools combined with the software already present on their victims’ systems. Two-factor authentication is incredibly difficulty to bypass since it uses unique forms of identification. Fox-IT has stated that APT20 found a way, currently unknown, to compromise the 2FA for virtual private networks possibly via vulnerabilities in the the corporate and government enterprise application platform known as JBoss. Essentially, they found a way to bypass the credentials necessary to access their victim’s VPN accounts and the computer systems attached to those networks. APT20 then focused their efforts on locating and hacking additional linked systems that held the credentials necessary for them to find and retrieve additional private data. The attack was designed to help them find higher and higher levels of authentication to access higher and higher levels of information. For example, they targeted password managers/vaults and then used the passwords they found to continue their data search and retrieval. Once they were finished, they did everything possible to delete all footprints of their actions to prevent detection.

What About Payment Processing?

APT20’s rare bypass of 2FA shows that hackers might be able to access any system in a similar fashion, including networked computers owned by merchants using point-of-sale software and/or customer databases. A hacking group could potentially mine merchant systems for customer names, credit card numbers, expiration dates and secure CVV codes. If the system also has a customer database, hackers could also retrieve private details, such as customers home addresses and product likes and dislikes. Hackers might use this data to learn more about specific individuals, such as politicians or military leaders, or create false identities.

We recommend that all merchants focus on improving not only their computer and network safety, but also their employee-based vulnerabilities. It’s important to train employees to recognize the many techniques used by hackers and how their actions can help these bad government-funded actors gain access. Merchants can also protect their systems by blocking employees from checking private email or downloading software on these systems.

Our team at Host Merchant Services goes beyond securing our own payment processing systems against these types of attacks: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Plenty of Cheer During the 2019 U.S. Holiday Shopping Season

The numbers are in for the 2019 holiday shopping season, the final one of the decade, and retailers were pleased to learn that overall sales increased by nearly 3.5% compared to last year. Starting on Black Friday and culminating with last-minute shopping on Christmas Eve, retailers were definitely in the black this season, and this is despite the period being shorter than last year by six calendar days. E-commerce was the biggest winner with an increase of 18.8%, and the payments industry was pleased to see a greater volume of credit and debit card transactions along with digital payments.

Even though online shopping accounted for a little less than 15% of the overall sales volume, it should be noted that the Cyber Monday shopping event continued to grow, particularly in the consumer electronics segment, which experienced a boost of 10.7% on a year-over-yer basis. Specialty apparel was the segment that shoppers expressed greater interest in compared to 2018, but even department stores posted a nice growth of 6.9% despite industry analysts warning that the heyday of American shopping malls is behind us.

According to the MasterCard Spending Pulse survey of retail activity during the holiday season, stores were prepared for the shorter shopping period this year; many retailers stepped up their omni-channel marketing efforts starting in early November. It should be noted that department stores actually saw a decline in their brick-and-mortar transactions, but they posted a 6.9% increase of their online sales.

Now that Christmas has come and gone, retailers are gearing up for the post-holiday blues, which tend to feature many gift returns or exchanges; a typical example is footwear, which tends to see a lot of exchanges because of size issues. Clearance and special discount situations will likely see a migration towards e-commerce channels, but brick-and-mortar retailers are ready to welcome more store traffic that should last through the first week of the New Year. Physical storefronts located within shopping districts have an advantage in this regard when merchants get together to organize entertainment and family events; the idea is to increase foot traffic at a time when many shoppers have time off work.

Wall Street Investors Also Enjoyed Holiday Cheer

The Santa Claus rally on Wall Street was delayed by just one day this year. According to market analysts at Nasdaq.com, exchange-traded funds that focus on the banking sector soared when traders returned to work after Christmas Day. This is good news for the payments industry, which does not exclusively rely on banks to stay busy. Consumers are warming up to alternatives to the traditional banking system; increased regulation and oversight along with a lack of flexibility by banks are driving consumers towards payment systems that they can manage from PCs and smartphones. Since providers of alternative banking services work closely with payments processors and clearinghouses, the future looks good for the payments industry.

Facebook Users’ Phone Numbers Exposed Online

Earlier this month, a huge database containing Facebook user IDs and phone numbers of 267 million members was breached and exposed, where it was then left on the web for almost two weeks before finally being removed.

According to security reasearcher Bob Diachenko, who discovered the unsecured Elasticsearch dabatase along with Comparitech, it may not have belonged to Facebook, rather a cybercriminal organization.

According to the report released December 19th, “A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”

First annexed on the 4th of December and not noticed until 10 days later on December the 14th, the database is now thankfully unavailable. According to Diachenko, however, the data was also posted on December 12th to a hacker forum, where it was then available to download.

It’s still not clear exactly how the information was collected, although Diachenko suggests that it could have been stolen from the developer API that Facebook provides to app developers in order for them to access user data and profiles prior to it becoming restricted last year. Another possibility could be that it was all due to a glitch, which enabled the criminals to access the information despite the restrictions. Or, it could simply have just been scraped from profile pages that are publically visible.

According to the published report, “’Scraping’ is a term used to describe a process in which automated bots quickly sift through large number of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s – and most other social networks’ – terms of service.”

Regardless of how it actually happened, Facebook users have been warned by the researchers to make sure that their security and privacy settings are set to private rather than public, which can help to decrease any chances of their profiles being scraped. Especially since the stolen data has also been posted to the aforementioned hacker forum and is still being held by the cybercriminals, so it could very well still be used for targeted phishing attacks or spam.

This isn’t the first time that Facebook user data has been found around the web, and unfortunately it probably also won’t be the last. As recently as September, hundreds of millions of Facebook user phone numbers was again found leaked on an open server, and just a few months prior in April two different datasets held by two app developers were found by researchers. In both of these instances, Facebook was the data source for the records.

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Merchants Prepare for Over $40 Billion in Returns [2023 Update]

Not everyone is always thrilled with their Christmas gifts, and now that we can shop for anything we want with relative ease and next to no effort, so too can we return items.

Year on year, Christmas shopping habits are growing and the dollar amount consumers spend is on the rise. It’s only inevitable that so too should returns increase. This is why this year, merchants are expecting to refund a whopping estimate of $41.6 billion worth of merchandise bought online. At least this is what a study undertaken by the commercial real estate services firm CBRE is estimating, along with their partner Optoro, which specializes in assisting merchants when it comes to processing returns. The projection for 2018 was $37 billion, so this is a pretty hefty increase which would make for an all-time record.

By assuming that, on average, around 15% to 30% of all online purchases are returned, CBRE and Optoro can calculate the return figure. By contrast, old-fashioned brick and mortar store shoppers return around 13% of their purchases.

An Early Start to Online Returns and High Volume

CBRE and Optoro’s report also states that each year, the return rate in the retail industry grows by around 10%, and up from last years $90 billion, this year’s overall cost of returns, both online and in-store, is predicted to reach upwards of $100 billion.

In other areas, USPS is expecting to handle over 1 million returned packages each day of the Christmas period, with its peak hitting on January 2nd with 1.9 million items, over 26% higher than the peak so far in 2019.

CBRE Matt Walaszek Report

According to associate director of industrial and logistics research at CBRE Matt Walaszek, “[The Christmas period is] a time when retailers are seeing all these sales and that does not translate into rising profit margins. However, the returns are quite costly. The costs are the number 1 stressor for the retailers.”

Inefficient methods for handling returns costs the retail industry around $50 billion each year, according to Optoro. Also, with over 10 billion “needless shipments” each year, costs really are adding up for retailers. Often, retailers aren’t able to resell returned merchandise themselves, so one tactic is to try to sell the merchandise to discount stores. Failing that, merchandise has to be destroyed, which, along with the $50 billion in costs each year, generates 5 billion pounds of waste.

Continuing on from what he said before, Walaszek added, “Customers have gotten really accustomed to free returns. We are really spoiled. And retailers have to figure this out to be able to compete in this marketplace.”

Conclusion

Christmas retail sales are expected to rise around 3.8% to 4.2% this year, which would see sales between $727.9 billion and $730.7 billion. With all these increases in sales, money lost through returns is only going to continue to increase too.

Google Comes Under Scrutiny for Acquisition of Cloud Data Science Firm

Just one week before Christmas, the Competition and Markets Authority of the United Kingdom made an announcement that may have played a part on shares of Alphabet, the parent company of Google, losing nearly 3% on the Nasdaq. Usually, announcements related to information security issues tend to have an immediate effect on company stock, but such is not the case with the British CMA; the problem is related to Google’s acquisition of Looker Data Sciences, a data visualization platform headquartered in California.

According to a news report by the Associated Press, the CMA became interested in the aforementioned acquisition in early December with an enforcement notice. The concern was that the merger would make consumers think of Google UK and Looker as indistinct business entities; in other words, there are valid concerns that integrating Looker would unfairly make Google the most attractive choice for business owners and individuals looking for cloud computing services, particularly with regard to website and application hosting.

Let’s say an e-commerce fashion entrepreneur in London is looking for a platform where she can set up her online boutique. She wants bandwidth, security, a shopping cart, a digital payment solution, and visual reports of website traffic as well as transactions. After acquiring Looker, Google will probably be the most attractive cloud hosting option for this e-commerce entrepreneur because she thinks Google is providing everything all the way down to data visualization. In this example, it is easy to see the CMA concern because third-party data visualization companies would not stand a chance to compete against Google.

The CMA will have from now until February 2020 to update the public on this matter. Google began taking over Looker in June 2019 and has thus far obtained regulatory approval in the United States and Austria. It should be noted that the UK is still part of the European Union, so other nations could very well start looking at this acquisition deal for signs of anti-competitiveness. In the U.S., Google is one of various technology giants being investigated for what state and federal regulators may consider antitrust activity; interestingly, one of the aspects of these investigations focuses on digital payments, particularly popular platforms such as Apple Pay and Google Pay.

Contactless Payments on the Rise [2023 Update]

When we cast our eye across the pond and towards the rest of the world, we start to notice some very different point-of-sale (PoS) consumer behavior. In somewhere around 25 of our closest international buddies, more than 50% of all face-to-face Visa transactions are done via contactless payment. If we look over to the Australians even, that number easily passes 90%.

It’s not as if this was never attempted in the United States. There was an attempt at a broad-scale issuance of contactless cards more than a decade ago, but it didn’t quite work out thanks to lukewarm consumer attitudes and the high costs to issue them. These, and others, were pretty clear signs that it was a bit too early for the U.S. to make its first foray into tap-to-pay. Inhibitors like these, though, are long gone now, so it seems 2020 is the time for a second go now that a real market opportunity has arisen.

The United States now finds itself ready to join ranks with other leading nations where contactless payments are, if not the dominant form of payment, at least a prominent way to go about business. There are many factors, such as open-loop contactless ticketing being finally introduced to major metro systems across the country such as New York’s MTA and the LA Metro, that can further push the opportunities for a contactless cards market in the U.S., along with the following aspects:

We as consumers love our cards:

We’ve had contactless mobile wallet options like Apple Pay and Google Pay for some years now, but the uptake may not quite have been what we’d all expected, which may indicate how much more we prefer to use our actual cards. According to research undertaken by 451, 60% of consumers who prefer to avoid using their mobile wallet do so because there’s either “no need” or they have a “preference for traditional payment methods.”

The cost of issuing the cards has fallen:

The cost of issuing a contactless card has fallen in recent years, due in part international card issuers. It shouldn’t even cost a dollar for our financial institutions to issue a new contactless card, maybe not even 80 cents. This is compared to the $2 it would have cost just a few years ago.

Merchant acceptance is growing:

Thanks to the EMV (Europay, Mastercard and Visa) liability shift in the U.S. just over 4 years ago in October of 2015, the implementation of dual interface PoS terminals (i.e. terminals that offer both contact and contactless transactions) has come along a lot more rapidly. Now, of all Visa transactions in the U.S., more than 60% of them occur on a contactless-enabled machine. On top of this, more than 75% of the country’s top 100 merchants are currently offering contactless payments as an option at the checkout.

Former PayPal COO is New Google Commerce Chief

Back in June of this year, PayPal made the announcement that COO Bill Ready would be stepping away from his long tenure at the online giant, and we now know precisely why. This coming January, Ready will be stepping into a new role with Google as their new commerce chief, a position from which he will be reporting directly to Prabhakar Raghavan, Google’s Senior Vice President of Engineering.

Having joined PayPal in 2013 after their purchase of his payment gateway startup Braintree for $800 million, Ready saw himself moving steadily up the ranks before becoming PayPal’s EVP and COO in 2016. While working in this role at PayPal, Ready was responsible for overseeing product, technology, and engineering, along with PayPal’s merchant, consumer, Venmo, Paydiant, Braintree and Xoom businesses’ end-to-end experiences. On top of this, he co-chaired PayPal’s revenue and profit-focused Operating Group. Today, businesses such as Uber, Facebook, Jet.com, and Airbnb rely on Braintree to power all of their payments.

Many of PayPal’s biggest moves as a company can be traced back to Ready’s tenure, such as the introduction of PayPal One Touch (their most rapidly adopted product of all time), PayPal Commerce, the expansion of Braintree’s global reach, Pay with Venmo, and the redesign of PayPal’s mobile app.

When speaking with regards to Ready recently, Raghavan said “Bill’s exceptional track record building great experiences for consumers and deeply strategic partnerships makes him a powerful addition to our team. I couldn’t be more excited for the future of commerce at Google.”

Ready himself followed this up, saying, “I’ve long admired how Google has enabled access to the digital economy for everyone/ Google has been making world-class commerce capabilities universally accessible to partners of all sizes, and I look forward to furthering that mission.”

Bill Ready’s role as Google’s new commerce chief won’t see him getting directly involved with anything to do with the payments side of the business, PayPal’s competitor Google Pay, but it will instead see him focusing on leading the vision, strategy and delivery of Google’s commerce products. While not directly involved in payments operations, he will, however, be working in close partnership with them, along with Google’s advertising operations.

Being in charge of commerce at Google will be no easy task for Ready, in part due to the nature of the close proximity to advertising, which is parent company Alphabet’s largest source of income. Out of a total revenue of $40.5 billion, Google’s ad revenue in Q3 of 2019 alone was $33.29 billion.

When making a statement with regards to Google’s hiring of Ready, CEO of Google and Alphabet Sundar Pichai stated, “I’m thrilled to welcome Bill to Google as we continue our work to create more helpful commerce experiences and build a thriving ecosystem for partners of all sizes.”