Jul 08 2011

How to protect ourselves from Payment Fraud

Category: Cyber Threats,Cybercrime,pci dssDISC @ 11:26 pm

Some basic advice has been issued by Apacs, and includes:

    * Don’t let your cards or your card details out of your sight when making a transaction
    * Do not keep your passwords, login details or Pins written down
    * Do not disclose Pins, login details or passwords in response to unsolicited emails
    * Only divulge card details over the phone when you have made the call or when you are familiar with the company
    * Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail
    * Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)
    * Always log out after shopping and save the confirmation e-mail as a record of your purchase

      For more advice you can visit:

      Spotting and avoid common scams, fraud and schemes online and offline

      How the scam works and what you need to do about it.

      and

      Online payment Security and Fraud Prevention

      Tags: Australia, Business, Credit card, Financial services, fraud, Internet fraud, Online banking


      Dec 19 2010

      Protect your credit card information and avoid Fraud

      Category: cyber securityDISC @ 10:51 pm
      NEW YORK - MAY 20:  In this photo illustration...
      Image by Getty Images via @daylife

      Essentials of Online payment Security and Fraud Prevention

      As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.

      – At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.

      – Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).

      – If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.

      – As always, do NOT enter your ATM card PIN into any email.

      – Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)

      – If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.

      – NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.

      – When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.

      – Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.

      – Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.

      – Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.

      Tags: Business, Consumer, Credit card, Financial services, Identity Theft, Merchant Services, Sarah Palin, Wire transfer


      Aug 23 2010

      13 Things an Identity Thief Won’t Tell You

      Category: Identity TheftDISC @ 11:10 am
      Identity Thief, Incognito
      Image by CarbonNYC via Flickr

      Stopping Identity Theft: 10 Easy Steps to Security

      by Reader’s Digest Magazine, on Thu Aug 12, 2010 Interviews by Michelle Crouch

      Former identity thieves confess the tactics they use to scam you.

      1. Watch your back. In line at the grocery store, I’ll hold my phone
      like I’m looking at the screen and snap your card as you’re using it.
      Next thing you know, I’m ordering things online-on your dime.

      2. That red flag tells the mail carrier-and me-that you have outgoing
      mail. And that can mean credit card numbers and checks I can reproduce.

      3. Check your bank and credit card balances at least once a week. I can
      do a lot of damage in the 30 days between statements.

      4. In Europe, credit cards have an embedded chip and require a PIN,
      which makes them a lot harder to hack. Here, I can duplicate the
      magnetic stripe technology with a $50 machine.

      5. If a bill doesn’t show up when it’s supposed to, don’t breathe a sigh
      of relief. Start to wonder if your mail has been stolen.

      6. That’s me driving through your neighborhood at 3 a.m. on trash day. I
      fill my trunk with bags of garbage from different houses, then sort
      later.

      7. You throw away the darnedest things-preapproved credit card
      applications, old bills, expired credit cards, checking account deposit
      slips, and crumpled-up job or loan applications with all your personal
      information.

      8. If you see something that looks like it doesn’t belong on the ATM or
      sticks out from the card slot, walk away. That’s the skimmer I attached
      to capture your card information and PIN.

      9. Why don’t more of you call 888-5-OPTOUT to stop banks from sending
      you preapproved credit offers? You’re making it way too easy for me.

      10. I use your credit cards all the time, and I never get asked for ID.
      A helpful hint: I’d never use a credit card with a picture on it.

      11. I can call the electric company, pose as you, and say, “Hey, I
      thought I paid this bill. I can’t remember-did I use my Visa or
      MasterCard? Can you read me back that number?” I have to be in
      character, but it’s unbelievable what they’ll tell me.

      12. Thanks for using your debit card instead of your credit card.
      Hackers are constantly breaking into retail databases, and debit cards
      give me direct access to your banking account.

      13. Love that new credit card that showed up in your mailbox. If I can’t
      talk someone at your bank into activating it (and I usually can), I
      write down the number and put it back. After you’ve activated the card,
      I start using it.

      Tags: Automated teller machine, Business, Credit card, debit card, Financial services, Identity Theft, MasterCard, Visa



      Dec 30 2009

      ATM bandits hack security

      Category: pci dss,Security BreachDISC @ 11:31 pm

      ATM at the secretary of state in Portage, MI
      Image via Wikipedia

      Overseas gangs have cracked the code of ATM anti-skimming devices in Australia just two months after their roll-out.

      ATM Security Breach News Video

      Overseas gang has cracked the code of ATM using skimming devices in Australia, where bank customers are defenseless against organized crime unless they check ATM themselves against any sign of tempering.

      Awesome Aussies in the game of cricket but their banking system still use magnetic stripe rather than magnetic chip which make it as an easy picking for the overseas gangs

      Tags: Australia, Automated teller machine, Bank, Banking Services, Banks and Institutions, Financial services, Magnetic stripe card


      Nov 30 2009

      Hackers steal credit-card numbers from restaurant customers

      Category: pci dss,Security BreachDISC @ 2:44 am


      Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.

      Contact DISC for any question

      By Theodore Decker
      THE COLUMBUS DISPATCH

      Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

      Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

      Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

      The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

      The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

      The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

      New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

      Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.


      Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
      This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
      Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

      Prevent and Protect from Credit Card Fraud and Scams

      httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

      Reblog this post [with Zemanta]

      Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security



      Apr 28 2009

      PCI DSS Misconceptions and Facts

      Category: pci dssDISC @ 7:13 pm

      Information Security Wordle: PCI Data Security...

      M1 – We are relatively small company so we don’t have to worry about PCI compliance
      F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

      M2 – PCI DSS is either a regulation or a standard
      F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

      M3 – We neither understand PCI and nor have in house expertise to address compliance
      F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

      M4 – PCI has no ROI and simply too much for a small business
      F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

      M5 – Why bother when some companies get breached even though they were compliant
      F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

      M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
      F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

      M7 – My application and POS equipment are PCI compliant
      F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

      M8 – PCI compliance addresses the security of the whole organization
      F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

      M9 – Data breach will not affect the business revenue
      F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

      M10 – We don’t need to scan PCI assets
      F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

      M11 – Merchants can use any application to transmit, process and store PCI data
      F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

      M12 – We have compensating control in place so we are covered
      F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











      Documentation Compliance Toolkit



      PCI Compliance



      Practical guide to implementation (Soft Cover)



      Practical guide to implementation (Download)



      Reblog this post [with Zemanta]

      Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security


      Nov 26 2008

      Cyber threats and overall security assessment

      Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

      The main screen showing star names (color-code...
      Image via Wikipedia

      In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

      In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

      [TABLE=12]

      ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

      “The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
      The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

      Reblog this post [with Zemanta]

      Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security