CrossCheck Blog

CrossCheck Blog

Check Processing & Payments Information

CyberSecurity in the Payments Industry

Posted by Brandes Elitch | Wed, Feb 08, 2017 @ 01:00 PM

payments industryWhen it comes to headlines in the payments industry space, data breaches have dominated the news in the last few years. My favorite example is a 2015 event: two “forums” — where gamers illegally trade free (bootlegged) copies of Microsoft’s Xbox360 games and Sony’s PlayStation games — were attacked by fraudsters. The thieves who stole from their fellow thieves took 2 ½ million e-mail addresses, passwords and IP addresses. It seems that there is no honor among thieves!

What would the crooks do with this information? Well, if they already have stolen credit card numbers (easily available on the Internet), they can cross-reference social security numbers and date of birth, then add an IP address and an e-mail address. With all of that, they can create a new identity and commit what is known as an account takeover. The thief can now take over an existing account at online retailers and buy expensive things with a credit card and resell them. It could be your account that is taken over. Scary, huh?

There are a variety of things happening in the cybersecurity space that are worth watching as they develop. Let’s take a look at a few of them.

APIs

APIs (application program interface) exist to provide structure and boundaries for software instructions. But breaches can occur. For example, there might be loopholes in the SSL certificate validation process. A thief with a malicious certificate might be able to steal user data. There might be vulnerable endpoints on the SOAP messaging protocol. There might be flaws in the business logic of the API which could allow intrusion. Or the endpoints might not be fully secure, so without key signing or shared secrets a thief could penetrate them. You cannot always assume that an API has been fully tested against a data breach.

The Internet of Things

The idea here is that technology will stand in and do things that you do yourself now: turn up the thermostat when you get home, check the fridge for expired items, dim the lights, turn on the sprinklers, or shovel the front walk (no, I payments industrymade that one up). But there have been compromises of such devices, for a variety of reasons.

For one thing, there is no comprehensive IoT certification program, although solutions are available (e.g. OTA’s Trust Framework). Many suppliers are small companies that do not have the resources for robust security testing. The firmware is not tested regularly. The devices can share Wi-Fi credentials, so it is easy for hackers to intercept passwords, and they often use third-party electronics that is not certified or tested. Having a thief take over your home security system and manage the electricity in your house would be pretty darn terrifying — an experience that you would never forget.

Big Data

This concept, all the rage today, uses very large data sets that may be analyzed computationally to reveal patterns, trends and associations that, hopefully, would lead to better decision making. This is also called “predictive analytics” and “data driven marketing.” In theory, this should result in better forecasting, but in practice, not so much. Take the 2016 presidential election, for example.

Adding more data does not solve the problem of a poorly designed model on which this is predicated, or bias in the methodology. Sources used may not be truly reflective of the overall population. As someone said, “Big data requires big judgment,” and this seems to be lacking in many aspects of our society. I’m just glad I didn’t bet on the results of the election.

Blockchain

The idea behind Blockchain is a data structure that creates a shared digital ledger registry. The data is shared with a distributed network of computers. There is no central authority, and each participant can use it in a secure way. It is cryptographically impossible to fake or manipulate the data. Banks are investing in this now, but they are not going to walk away from already massive investments in infrastructure that is mission critical today, nor is Blockchain going to be a higher priority than say keeping up with the massive tide of regulation and compliance issues. Yes, banks do lose billions of dollars to fraud every year, but fixing that problem is secondary to keeping all core systems up and running 24/7/360 with zero tolerance for error or delay.

Biometrics

payments industryThere is a lot of appeal on the surface of replacing passwords with a fingerprint, heartbeat, voice/facial recognition or iris/retina scan. But there are two basic problems with this. First, your biometrics cannot be kept secret forever (someone else is going to have your fingerprint or a photo of you), and second, if compromised, they cannot be revoked. You cannot change your fingerprint. A fraudster could present fake biometrics or a fraudulent feature set, or tamper with stored templates. Biometrics is useful in conjunction with other security features, but as a standalone system, there are certain risks that could prove problematic in the future.

Artificial Intelligence

AI is the theory and development of computer systems to perform tasks that normally require human intelligence, such as speech recognition, decision making and visual perception. But there are some very real concerns here. Obviously, there is the fear of unwanted surveillance or invasion of your privacy. One study (Oxford Martin) predicted that as many as half of today’s jobs could be automated out of existence in the next 20 years, and now we have some serious ethical issues for society at large. There is also a threat to human dignity, where sensitive jobs that require delicate decisions (e.g. judge, nurse, police officer) are now performed by a robot for which the decision is either black or white and there are no shades of gray. Sometimes, shades of gray are important.

Employee Tools

Today, many employees, consultants and contractors work outside of the office. Employers give them tools to simulate the office environment. For example, you might have Outlook web access to connect remotely to MS Exchange and view and send e-mail from a web browser. You could connect to the employee intranet to communicate, share knowledge and collaborate remotely with colleagues. You could access an FTP site to exchange files with off-site parties. Now this might look like a real convenience to off-site employees, but the possibilities for hacking sensitive company information are pretty sobering, particularly for a small company with no real IT staff.

Conclusion

payments industryHere are seven popular topics that are typically discussed when the topic of cybersecurity comes up. As you can see, things are not always what they seem, and it would appear that we still have a long way to go on this topic to lessen concerns about real security. However, there is one tried-and-true payment system that is resistant to the concerns outlined here: the check, particularly CrossCheck’s Remote Deposit Capture Plus solution with options including Multiple Check.

With Multiple Check, the consumer writes up to four checks and hands them to the merchant, who runs them through our imager. The imager prints a receipt and the merchant gives the checks back to the consumer. CrossCheck clears the check as a Check 21 item (digital check) on the dates chosen by the consumer and puts the money in the merchant’s bank. This frees the merchant from keeping track of when to make these deposits and doing the banking.

All transactions are encrypted. There is no possibility of this information being stored on the merchant’s server, nor is there a possibility that a fraudster will get their hands on the checks. This is a lot more secure than a credit card transaction, and a lot cheaper for the merchant too. Unlike ACH check conversions, we are not sharing the MICR line with anyone either.

So the next time you are looking for someone to process high dollar checks with a guarantee that you will get paid, and automate your banking so you don’t have to physically go to the bank or use an armored courier, think of CrossCheck’s  Remote Deposit Capture Plus solution Multiple Check. Now that’s security!

 

Multiple Check Insider's Guide

Topics: Brandes Elitch

Written by Brandes Elitch

Brandes Elitch is Director of Partner Acquisition for CrossCheck Inc. A certified cash manager and accredited ACH professional, he garnered a Master of Business Administration from New York University and a Juris Doctor from Santa Clara University.