×Close

Request to Republish Content

Data Breach , Data Breach Prevention and Response Summit , Events

In a Faceless Environment; We Need a New, Multidimensional Approach to Authentication Presented by Chicago Fraud & Breach Prevention Summit 2016     30 Minutes     Until we get to a stage where we can guarantee the confidentiality of static identity reference data, such as names, addresses, emails and favorite cat colors, we must move away from relying on knowledge-based authentication.See Also: Rethinking Endpoint Security Truly massive amounts of this information are stolen on a regular basis, proving we are far from achieving its confidentiality. Moreover, it is a straightforward process to use this data to steal, or at least borrow, someone's identity. There is, however, a wealth of dynamic, behavioral, reputational and association-type information that can add many organic dimensions to identity verification data, making it far more difficult to compromise than static, "flat" reference fields. In this session, we will describe two key use cases where a layered approach to identity authentication using a variety of dynamic data sets can provide a multidimensional reference model that adapts to changes in the environment, to build confidence in the validity that someone is who they say they are and that they are interacting on the right device.

A hacker who calls himself "The Dark Overlord" has been stealing healthcare databases and then attempting to ransom them back to victim organizations in exchange for bitcoins. This edition of the ISMG Security Report kicks off with an analysis of the attacks, delivered by Marianne McGee, ISMG healthcare information security editor, as well as their implications for the cybersecurity practices of all healthcare organizations.

You'll also hear (click on player beneath image to listen):

A report on efforts in Congress - spearheaded by House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., a member of the Senate Intelligence Committee - to create a bipartisan "Digital Security Commission" designed to gather and deliver essential encryption facts to Congress, to help it tackle ongoing crypto and "going dark" debates. A discussion with Tracy Kitten, ISMG's executive editor for banking, on the steps that financial services firms are taking to institute real-time fraud prevention to better protect real-time transactions.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our June 24 and June 28 reports, which respectively analyze the steps the U.S. federal government took to nab 301 individuals - including physicians, pharmacists and nurses - for Medicare and Medicaid fraud and the cybersecurity, cybercrime intelligence-sharing and privacy repercussions of Britain's "Brexit" from the European Union. The next ISMG Security Report will be posted Tuesday, July 5.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.

So why is Visa temporarily reducing the fraud chargeback burden on non-EMV-compliant U.S. merchants? Mark Nelsen, Visa's senior vice president, says it boils down to this: The card brand wants to give retailers a break while it takes steps to streamline the cumbersome certification of new POS devices.

In an interview with Information Security Media Group, Nelsen acknowledges that many retailers have found it difficult to get their EMV-compliant POS devices certified. "We see that there are some bottlenecks that are some pain points," he says. "So we're just proactively trying to address some of these bottlenecks."

Visa, MasterCard and American Express have agreed to streamline the EMV certification process for merchants, in some cases limiting the number of tests that have to be conducted on POS devices to have them certified, Nelsen points out. Plus, they're simplifying the required functionality of the POS devices.

To give retailers a break while during the ongoing rollout of certified equipment, starting July 22, Visa is blocking all chargebacks to merchants for counterfeit card fraud on transactions totaling $25 or less. And beginning in mid-October, Visa will cap the number of chargebacks an issuer can charge back to a merchant to 10 per account. AmEx is making similar adjustments.

"With those changes in place, that will represent around 40 percent of the chargebacks from a transaction count that today the merchants are seeing," Nelsen says.

Last October, liability for counterfeit card fraud on magnetic-stripe transactions shifted from issuers to merchants that have not yet deployed EMV.

Reviewing Chargeback Processes

Some retailers have complained that many of the chargebacks have been unfairly high, and in some cases even unwarranted. But Nelsen contends Visa is regularly reviewing issuers' chargeback processes to ensure merchants are not being unfairly charged.

"We look at those current fraud rates that we're seeing and how issuers are using different reason codes for chargebacks on fraud types," he says. And we don't see any noticeable change in the issuers' behavior. ... I think what is challenging for merchants is that they've never seen fraud at the point of sale before, because they've never had the liability. And so anytime they see a fraud that occurs on an account, and maybe there are multiple transactions that are fraudulent, they may wonder, 'Why didn't the issuers catch it? How could the let 10, 25 transactions go through on an account?' And the answer is, issuers are not perfect in identifying fraud; it's hard to capture fraud. They do a really good job, but some fraud goes through."

During this interview (see audio link below photograph), Nelsen also discusses:

Statistics that show the U.S. is now the largest chip card market in the world; How the card brands are working together to streamline EMV certifications; and Why Visa has no plans to re-evaluate its deployment of chip-and-signature rather than chip-and-PIN in the U.S.

As Visa's senior vice president of risk products and business intelligence, Nelsen manages the company's global fraud detection solutions as well as its chip technology programs and integration. In 2015, ISMG recognized Nelson as one of the banking industry's most influential information security leaders.