Cyber Monday Risks for Banks, Stores
Watch Out for Phishing, Mobile Malware and Fraudulent Gift CardsAccording to fall surveys conducted by the Information Systems Audit and Control Association, the independent global information systems group, employees at various businesses throughout the U.S. are expected to spend six hours shopping from work computers or work-supplied mobile devices this holiday season.
From a security perspective, those percentages are threatening, says ISACA's Mark Lobel, a member of the association's External Relations Committee and a principal advisor at PricewaterhouseCoopers. The risks associated with those online spending behaviors are the most concerning, Lobel says. "There were three risky online work behaviors that we saw," he says. "The first one was clicking on an e-mail link to access a shopping site." The other two: using business-provided mobile devices or smart phones and PCs for personal browsing.
Risky Links to Online Shopping
Julie McNelley, an analyst at Aite who focuses on fraud, says retailers expect holiday spending to increase this year, and that increased spending means more risk for merchants, consumers and financial institutions.Banking institutions can help their customers -- and employees -- now by providing information about holiday shopping fraud risks, McNelley says.
"This is a great time of year for phishing and vishing attacks," she says. "Explain to consumers what the appropriate messages they will see are, and how those messages will come -- over e-mail, mail, text or phone." For instance, tell consumers that calls allegedly coming from merchants about purchases are likely scams. The same holds true for e-mails and text messages to their mobile phones, because smishing will likely be a big problem, too.
Mobile: Mitmo and the Unknowns
Beyond smishing, mobile browsing to online shopping sites also poses challenges. One security risk: Malware. In October, researchers at security firm S21sec confirmed that Zeus had hit mobile users at 12 Spanish banks. Daniel Brett, head of business development for S21sec, says the attack was a dual Zeus compromise -- one that involved a malicious attack that combined online with mobile. "It was the first time we've seen people using a combination of Zeus with a mobile piece of malware and an online attack all in one," Brett says, and it's a trend of which consumers must be mindful this holiday shopping season. .Perils of Prepaid
John Buzzard, client relations manager for FICO's Card Alert Service, says institutions should take time to educate consumers and merchants about all cyberthreats, whether online or mobile.Buzzard says banks, credit unions and retailers should be particularly mindful of a more traditional fraud facilitator that's popular around the holidays -- the prepaid gift card. Purchases made with prepaid or stored-value cards are anonymous, and the increasing open-loop nature of branded prepaid cards only compounds the anonymity problem. Prepaid cards issued and branded for MasterCard and Visa pose the greatest threats, because the cards can be loaded and used anywhere, so tracking transactions and monitoring monetary values loaded to cards is impossible.
Fake prepaid cards also are easy for fraudsters to manufacture. And with no identification line that connects the user to the purchase, prepaid cards are a criminal's easiest target. Authenticating prepaid transactions, by checking CVV and CVC card verification values embedded into the magnetic stripe, is the best way to ensure a prepaid card real, Buzzard says.
Working around the anonymity of the prepaid purchase is a separate concern. But Buzzard recommends that merchants require anyone who's using a prepaid card to present a driver's licenses, especially if the purchase exceeds a specified amount. "Restrict gift card purchases through self-checkout lanes and, most importantly, scrutinize the payment card being used for the purchase," he says.
Fraudulent purchases made with prepaid or stored-value cards are an increasing problem. On Dec. 8, the Federal Reserve Bank of Atlanta expects to release a payments study that for the first time will include focused insights about the explosive use of prepaid cards and the fraud threats they pose. In the meantime, Buzzard says banking institutions and retailers can put measures in place to ensure more secure prepaid purchases. Among his suggestions: Merchants should set up gift-card hotlines for banks and credit unions to report fraudulent gift-card purchases. "It often takes hours or days to identify the correct department or go-to person to report fraudulent transactions, once they are identified by the card issuer."
Tips for Safer Shopping
Beyond prepaid cards, the holiday shopping season heightens risks to all payment card transactions. To reduce vulnerabilities for consumers, merchants and institutions alike, Buzzard offers these tips:
- Use the Code -- Financial institutions and retailers should take advantage of the three-digit card values (CVV=Visa and CVC=MasterCard) embedded within the card's magnetic stripe. The values can be used for transaction authentication.
- Share All Holds -- Institutions should allow cardholders to view all temporary transaction holds when they log onto their online banking accounts. "The idea is to alert them to anything that appears to be suspicious," Buzzard says.
- Issue Alerts -- Offer text or e-mail notifications for account balance alerts and transactions. "Customers are your first line of defense," he says. "Abrupt changes in transactional activity can lead to faster fraud detection."
- Monitor Profiles -- Institutions must rely on customer profiles to identity out-of-character spending habits when they occur.