Sometime in mid-February 2017, anti-fraud teams from multiple financial institutions contacted KrebsOnSecurity for help tracing the source of a credit card fraud happening in high-end restaurants around the U.S. Investigations revealed a vast majority of patrons with compromised cards dined in locations run by Select Restaurants, Inc., a management group out of Cleveland, OH.
Further digging also uncovered a tie-in with an earlier breach discovered in July 2016 that occurred in another national restaurant chain in the U.S.–CiCi’s Pizza.
The common link was the point-of-sale (POS) vendor–Datapoint POS.
Select Restaurant hackers had either guessed or phished a remote access password to gain access to the system, and siphoned credit card data through an executed version of the malware PoSeidon.
PoSeidon is a POS malware variant that steals credit and debit card data from hacked point-of-sale devices. Cyber criminals use that data to open fraudulent credit card accounts and make purchases.
They also sell that information on websites to other professionals for the same purpose.
“When the POS vendor found malware on the POS software at some CiCi’s restaurants, we immediately began a restaurant-by-restaurant data security review and remediation,” a CiCi representative explained.
Credit card fraud is on the rise, and these challenges are not limited to the hospitality industry. Other industries and entities affected include:
The ITRC Breach database estimates 36,601,939 known records were exposed in 2016.
2016 Statistical Data on Card Fraud
Select and CiCi are only two of the breaches affecting organizations over the last 12 months.
In their 10-17-2016 Report, Nilson, the global payment systems publication, found money lost to credit card fraud in 2017, is expected to rise 12%–from $24.71B in 2016 to $27.69B. That number is expected to climb to $31.26B in 2018, and will likely top out at a whopping $32.82B in 2019.
These numbers reflect general-purpose and private-label global brand cards. Charges include purchases of both goods and services, combined with cash advances and withdrawals from ATMs. This does not include costs incurred by issuers, merchants, and acquirers for their operations, call centers, and chargeback management.
In a 2014 study entitled What Every Card Not Present Merchant Should Know, Verifi.com estimated the cost to card merchants per customer record breach was $195US, with an average of 28K records per breach.
Nilson estimates Card-Not-Present (CNP) fraud, which includes online and cross-border transactions, accounted for 41.2% of all fraud in 2016 among general-purpose card brands in the U.S., and 24.0% worldwide.
What these numbers don’t tell you is the toll fraudulent activity takes on the public sector, on business, and on customers–and it’s assuredly more than just financial. Lost confidence translates to lost business.
And believe it or not, some potential fraud is actually “friendly.” That is, sometimes customers lie about what is in their statement. Purchase and payment behavior profiles flush out this kind of fraud, as well.
What Organizations Can Do to Prevent and Mitigate Credit Card Fraud
Anytime there is credit card fraud it is a mess. Police and law enforcement agency must be notified and paperwork filed. Organizations, insurers, banking institutions, and customers can lose considerable amounts of hard-earned money. Sadly, after all of that trouble, there’s still no guarantee the perpetrators will be speedily found.
The best approach to Credit Card Fraud is to avoid it altogether.
Defined Action Plans to Prevent Online Credit Card Fraud
It is time for organizations to create proactive, cyber security strategies to nip online credit card fraud before it happens. Here are some proven strategies that work:
Let’s look at these a little more closely.
1. Stolen Cards
A good security provider helps businesses put controls in place to alert all parties when a card goes missing or cardholder begins to see strange charges.
2. Hardened Security Profiles
Boosting your organization’s security profile is a layered approach. It involves disabling unnecessary protocols, adding security layers, documents, and software restriction policies. It is not a set and go situation either. Regular monitoring, patching, and other measures are required to keep a security posture up to date.
3. Card Use Restrictions
Use restrictions, such as spending limits, sanctioned vendors, and purchase types on corporate credit cards, keep small problems from turning into big ones.
4. Amped Up Security Policies
By having robust, actionable security policies in place, your organization can also see savings on insurance fees. Working with card issuing authorities to communicate early, increases visibility when an incident occurs and closes gaps for unwanted activity to take place.
What actions can organizations take to boost their credit card security position?
First Steps/Next Steps to Fraud Prevention
Because of widespread fraud, many organizations worry how they will prevent attacks, and, if attacked, how the financial impact of these events could disrupt their ability to do business.
You can protect your customers and employees before they become fraud targets. The Blueliv Credit Card Theft module delivers a list of recovered credit cards in real-time that allows you to retrieve compromised cards before they’re published and sold on the deep Internet and black market sites. It also provides early warning features, like heatmaps for black market operations and malware detection.
Our analysts are ready to serve you. Don’t hesitate to reach out for a consultation.