Payments 101: An Intro to Payment Security and Transaction Trends

By | July 10th, 2014|Uncategorized|

EMVThe security of transactions and payments is a hotly debated topic around the world. Which methods are most secure? Which should we all adopt? And why one over the other?

But before we start diving more into the debate on this topic, how about a simple introduction? Let’s define some of the major terms and security issues that you will often see discussed:

Magstripe:
This is a type of card that is capable of storing and transferring data within a magnetic stripe. The information is read by swiping past a magnetic reading head. If you’re in the US, this is likely what you are familiar with on your credit card, debit card, public transportation card or even ID card for your office. Typically, you are asked for your signature at a POS when using your magstripe card.

EMV:
EMV, which takes its name from Europay, MasterCard and Visa, is a global standard for payment cards that is based on micropressor chips. These are often called IC cards or “chip cards.” A computer chip is embedded in the card and associated with a PIN. The owner must supply the PIN to allow for the card’s processing. This use of a PIN to identify the owner is considered more secure than the use of a signature, as you use with magstripe cards.

Chip and PIN:
This is another name for EMV cards or the EMV standard.

CNP Transaction:
CNP stands for Card Not Present. This is a type of transaction made with a card in which the cardholder does not or cannot physically present the card to the merchant. For instance, CNP transactions often take place over the phone or Internet. CNP transactions can be major sources of credit card fraud, as it can be difficult for the merchant to authorize the user’s identity. When you make a purchase in person, you may be requested to prove your identity with a photo ID, signature or PIN. However, in a card not present transaction, there isn’t an easy way to authenticate you are who you say you are.

Contactless Payments:
Now we are seeing more instances of contactless payments, in which the user can wave a card, device or fob over the POS system to make the transaction. This type of payment uses radio-frequency. Near Field Communication (NFC), for instance, is a set of standards for smart devices to establish radio communication when in proximity with one another. Security risks include malware and interception of the transaction. However, since smart cards and devices often have more than one use, the owner only has to replace the one card or device if it is lost or stolen.

Keep an eye out on our blog, cyberSAFE webinar series and social media channels for more on this topic as we begin to take part in the debate. In the meantime, what do you think about each type of card? What about each type of transaction? Join the conversation on Twitter, Facebook and LinkedIn.

Five Simple Security Resolutions for the New Year

By | January 8th, 2014|Uncategorized|

new year blogDo you have room for one more new year’s resolution? Beyond getting fitter, healthier or smarter, vow to be more secure. Here are five simple actions you can take for a more secure year.

Refresh your passwords

Take a minute to refresh your personal and professional passwords. Make them long and use a mix of numbers, letters and symbols, and avoid using the same passwords across multiple sites. Require that your employees, customers and family do the same. Check out our Consumer Password Habits Unveiled blog post for more password advice.

Update software

Keeping your device software up-to-date can help keep your device and identity secure. So this year, whenever you see that “update available” notice pop up, click “yes”! It only takes a few moments to keep your software updated.

Shred, wipe and reformat

Erase your tracks. Shred unneeded documents, wipe old devices and reformat old hard drives so identity thieves cannot retrieve any sensitive information. Tax season will be here before you know it, and the overwhelming number of tax identity theft cases that occurred last year indicates that identity thieves are prone to using year-old information to collect refunds.

Protect your privacy

Update privacy settings on your social media pages, mobile apps and web browsers to protect against identity theft and manage your online reputation. Be sure to continually check your privacy settings, as privacy rules tend to change frequently online.

Turn on two-factor authentication

When offered, turn on two-factor authentication services for an extra layer of security. You can already do so for popular sites like Gmail, Twitter, Apple, and Dropbox.

Which of these do you plan to adopt? What other simple security resolutions have you made for the new year? As always, let us know on Twitter and Facebook.

Industry News Recap: Twitter Launches Two-Factor Authentication

By | May 23rd, 2013|Uncategorized|

twitter_securityThis week, Twitter introduced a two-factor authentication login security measure that users can opt into, helping to protect users from email phishing schemes or password breaches. Users need a confirmed email address and a verified phone number on their account to set up the login verification feature on their Twitter settings page.

“The two-factor system mirrors that of Facebook’s and requires members to provide a phone number to which Twitter can send a unique code with each login attempt,” said CNET. “Twitter users can turn on two-factor authentication from their Account Settings page, where they can tick the box to “Require a verification code when I sign in.” Users then need to enter their phone number, and Twitter will subsequently text the number for verification purposes.”

While this security measure helps individual Twitter users protect against hackers, using the two-factor authentication feature may be more complicated for business or shared accounts. According to TechCrunch, those with shared accounts “can only set one phone number as the recipient of the two-factor authentication codes, but may have several staff members who need to access the account. If they enabled it, whoever carried the phone registered with Twitter would have to relay the code to all the other staffers to get it to whoever needed it. That hassle might prevent shared accounts from turning on login verifications, and so the hackings may continue.”

Whether making changes for an individual account or a shared business account, Web magazine Slate encourages those who choose to set up this security feature to make their “account changes by visiting the relevant website directly from within your browser, not by clicking a link in an email. Scammers are often quick to capitalize on security news like this by sending out bogus messages telling people to ‘click here’ in order to change their password.”

Take a look at this video Twitter created to help users set up their login verification. Will you turn on this new login verification on your personal account? What are some solutions for those with shared Twitter accounts? Let us know what you think on Twitter and Facebook. Be sure to check out our Tumblr page for the latest industry news stories.

Industry News Recap: Apple Offers Two-Factor Authentication

By | March 22nd, 2013|Uncategorized|

Apple announced on Thursday that they’ve created a tool that strengthens password security for Apple accounts: two-step verification. This should come as no surprise since many companies now offer two-factor authentication after suffering from data breaches. (And remember the Mat Honan hack?)

The New York Times reported that, “the security feature (must be turned on manually at Apple’s Web site) lets a user receive a code on another device that can serve as a second password.”

Wired went on to say that you must “validate your identity using a mobile device before being to make iTunes or App Store purchases, make changes to an account or get a password reset from a new device.”

In addition, “The extra level of security makes it more difficult for hackers to gain access to your account,” said Mashable. “Should your password fall into the wrong hands, it’s a roadblock preventing that person from signing in and accessing your data.”

Do you think Apple is taking a step in the right direction with two-factor authentication? Should companies forgo passwords altogether and use other authentication methods? Let us know what you think on Twitter and Facebook. Also, be sure to check out our Tumblr page for the latest industry news stories.

apple_verification

Industry News Recap: One Password Ring to Rule Them All

By | March 15th, 2013|Uncategorized|

password_ring1This past week, Google announced a novel idea for the future of passwords – a ring. Hardware authentication tokens aren’t a new concept, by any means, but Google thinks it’s time to bring this idea to a broader audience. Here’s a recap of the top news stories around this topic.

Geek.com said that “Google is [currently] testing a USB dongle…featuring an NFC chip that would potentially allow a user to kick start the login process by placing a phone or tablet within range.” They want to achieve the same success with a ring.

Meanwhile, MIT Technology Review reported that Google “first revealed its plans to put an end to password in an academic paper published online in January.” At RSA, a principal engineer at Google said “that using personal hardware to log in would remove the dangers of people reusing passwords or writing them down.”

So, what do you think about the future of passwords? Is Google on the right track to breaking the password code? Or would you just lose the ring? Let us know what you think on Twitter and Facebook. Also, be sure to check out our Tumblr page for the latest industry news stories.

Forget Passwords: Here comes FIDO

By | February 21st, 2013|Uncategorized|

We’ve talked a lot about passwords on this blog, including how ineffective they are as a method of authentication. Over the past decade, many businesses, government organizations and non-profits have been trying to solve the password conundrum and come up with an authentication method that is secure, easy and simple enough that your grandmother can use it.

A new group recently threw their hat into the ring: the FIDO (Fast Identity Online) Alliance. FIDO’s ultimate goal is to create a new open standard for security that either swaps out or supplements our current password authentication system. The group is currently investigating a number of ways to do this including biometric solutions like voice and facial recognition, and existing standards like NFC and one-time passwords.

Many groups have preceded the FIDO Alliance with a similar mission, but what makes FIDO unique are the companies that comprise it – big names like PayPal, Lenovo and Infineon with more partnership announcements on the way. Adoption is key with any new authentication solution, and having the backing of some major companies is a good sign for the FIDO Alliance.

We are still years away from an authentication solution that will replace our current password system. Yet the seemingly unrelenting hacks and breaches of the past few years are certainly speeding up the replacement process. It looks likely the FIDO will play a role in this process and we look forward to seeing what the group can accomplish.

What do you think of FIDO? Let us know on Facebook or Twitter.

fido

Marc Ostryniec Presents at ID360

By | April 24th, 2012|Uncategorized|

Marc Ostryniec at ID360 ConferenceThe Center for Identity at the University of Texas at Austin held the first annual ID360 Conference this week. CSID was there  in support of our VP of sales Marc Ostryniec, who presented on how proactive credential monitoring can reduce the risk of fraud that is an inherent problem when employees mishandle company credentials or customers have poor password habits. People truly are the weakest link in any company’s security system.  

The most advanced security measures can be unraveled through everyday human error. In fact, some of the most recent security breaches began with employees simply opening an email containing a virus. But businesses can’t operate without humans, meaning proactive credit and security monitoring is crucial. Businesses that neglect to proactively monitor for security breaches or issues leave themselves open to a wide range of security threats that can impact their customers and ultimately, the bottom line.

Marc opened his presentation with this compelling statistic from Trusteer: 73 percent of consumers reuse their online banking login and password with nonfinancial websites. The reuse of login information increases the possibility that if one website gets hacked, other locations where its customers conduct business or interact online can also be accessed using that same information. In many cases, the stolen login information can even access a work database or server, leaving many businesses vulnerable without them realizing they are under attack.

For more information about proactive credential monitoring, read Marc’s conference paper. Read more about the ID360 Conference and Marc’s presentation in the Austin-American Statesman, and check out the #ID360Conference Twitter hashtag for key points from the event.

Revisiting SXSW 2012 – One Last Look

By | March 27th, 2012|Uncategorized|

It’s hard to believe that South by Southwest Interactive (SXSW) is already two weeks in the past. We spent eight months planning and prepping for the event—during which CSID hosted three panels—then it came and went in a flash. In fact, we already have SXSW 2013 on our radar.

Before we get ahead of ourselves with arrangements for next year’s event, we wanted to revisit SXSW 2012 one last time and call out some key messages from each of our panels.

Data Breaches: Taking the Bull by the Horns
This panel, moderated by CSID President Joe Ross, brought up some resonating points about the importance of preparing your company for a data breach, and what to do in the instance that a breach occurs. A few key points from the panel include:

  • Negligent insiders are the top cause of data breaches. One study estimates that 61 percent of security breaches are caused by internal sources.
  • Every company, no matter how big or small, must create a risk management protocol that covers processes and procedures in the case of a breach.
  • Breach notification laws differ among states. In 41 states, a breach of usernames and passwords does not need to be reported.

My Voice is My Passport. Verify Me.
This was a dual panel featuring Isaac Chapa, VP of technology at CSID, and Dan Miller, senior analyst and founder of Opus Research. Isaac and Dan discussed voice biometric technology and the future of voice authentication. Some interesting points made by Isaac and Dan include:

  • Experts predict an exponential growth in voiceprint enrollments as businesses look for ways to authenticate online and mobile transactions like mobile payments.  
  • Voice biometric technology has two key advantages over other biometric solutions: it can be used in a number of environments, and it does not require additional software or hardware to be built into a device as would fingerprint or retina scanners.
  • Your voice can be a useful replacement when dealing with frequent password resets or remembering hundreds of complex log-ins. You can’t forget your voice.

No Rainy Days: Identity Protection in the Cloud
CSID’s VP of product strategy, Eric Youngstrom, discussed cloud security with a well-rounded group of experts. Notable points discussed during the panel include:

  • On the horizon for cloud security: The National Strategy for Trusted Identities in Cyberspace (NSTIC) “Identity Ecosystem.” When implemented, the protocol will be similar to the FDA stamping your meat. NSTIC-approved sites will have a standard level of security in place, protecting consumer data.
  • Security across the supply chain is completely relevant and important when storing and accessing data in the cloud.
  • Make sure your cloud provider has third party certifications and is taking proper measures to secure your data.

What did you take away from SXSW this year? What topics do you want to see CSID cover at next year’s event? Leave a comment or let us know through Facebook and Twitter.

CSID Takes on SXSW Interactive

By | March 5th, 2012|Uncategorized|

Headed to South by Southwest Interactive (SXSWi) conference in Austin, Texas this month? So is CSID.

We’ve been working hard, organizing three SXSW panels that address today’s hottest security concerns: data breach preparedness, cloud security and voice authentication.  

The increase in volume, severity, publicity and fallout of recent data breaches and lack of cyber-security has taken the topics of data protection and breach mitigation to new heights. We plan on addressing many of these issues during our panels including how businesses should prepare for the seemingly inevitable breach, how voice biometrics can be used as a method of fraud prevention and how best to address identity protection in the cloud. We’ve assembled an amazing group of individuals for each panel, which should make for some interesting discussions. We’d love to have you attend and answer any questions you may have.

We’ll be blogging a bit more about each panel as SXSWi approaches. You can also catch our updates on Facebook and Twitter. Stay tuned.

Data Breaches: Taking the Bull by the Horns

When: Monday, March 12, 12:30–1:30 PM CST
Where: InterContinental, Stephen F. Austin, Capital Ballroom B
What: When a breach or security issue occurs, it is not just the IT department that needs to react. Company leaders need to know how to address the issue quickly, protect customers and secure their brand. This panel will discuss multiple aspects of breach preparation from technologies that will help mitigate the impact of a breach to lessons learned for those that looked a data breach in the eyes and lived to tell.
Who: Joe Ross, president of CSID, Joseph DeMarco, partner at DeVore & DeMarco, Michael Bruemmer, VP data breach of Experian Consumer Direct, Monica Jedrzejowska, associate at Hunton & Williams, and Terry Hemeyer, senior lecturer and advisory council member at The University of Texas at Austin
Hashtag: #SXBreach

No Rainy Days: Identity Protection in the Cloud
When: Sunday, March 11, 3:30–4:30 PM CST
Where: Hilton Garden Inn, Sabine
What: From financial statements to music collections, we trust the cloud with a lot of personal information. Yet how secure is the cloud? How much control do we have over the data we entrust to it? What can we do if that data is stolen? This panel will try to answer these questions and more as we explore the impact of the cloud on personal identity and security.
Who: Eric Youngstrom, VP of product strategy at CSID, Francis D’Addario, principal at the Security Executive Council, Dr. Suzanne Barber, director of the UT Center for Identity and Oren Hamami, senior cloud security architect at Rackspace
Hashtag: #SXCloudID

My Voice is my Passport. Verify Me
When: Monday, March 12, 5:00–6:00 PM CST
Where: Hilton Austin, Downtown, Salon J
What: Warm up your vocal chords. Voice authentication is going to be front and center as the world looks for ways to secure data. Why? Your voice is unique. It can’t be stolen or forgotten. It is also easy to measure. This panel will discuss advances, strengths and limitations of voice authentication as well as how businesses are implementing the technology to protect identities, transactions and more.
Who: Isaac Chapa, VP of Technology at CSID and Dan Miller, senior analyst and founder of Opus Research
Hashtag: #SXVoiceBio

Top 7 Tips to Prevent Identity Theft (Part I)

By | May 28th, 2011|Uncategorized|

By John Sileo, [cc id=’csid’] consumer security expert

Step one of my 7 Steps to Secure Profitable Business Data is to “Start with the humans.” It is crucial to the success of your business’ security efforts that you give your employees the tools to protect themselves personally from identity theft. This develops a privacy language and framework that can be easily adapted to business security.

Pass on the following tips to your employees—seven easy measures to help prevent personal identity theft:

1. Monitor Your Accounts Online

One of the quickest ways to detect identity theft is to monitor your credit card, bank and brokerage accounts online. By doing so, you speed up the detection time and shut down fraud before it becomes a major problem. You can do this either by logging on to the website for the financial provider in question (e.g., your bank), or by setting up automatic account alerts that warn you by email or text message anytime a transaction occurs on your account.

For example, if you have credit card account alerts set up to notify you by email, and you receive an alert that $1 has been spent at a gas station when you haven’t been to a gas station that day, you know that your card has been compromised. Thus, you can shut it down immediately before you become liable for the fraud. Alerts are a painless, immediate way to keep tabs on your financial health.

2. Use Surveillance to Monitor Your Identity

Only about 25% of identity theft can be caught by monitoring credit reports, but there are more sophisticated identity theft monitoring and protection services in the marketplace. I have used [cc id=’csid’] for the past five years because of the quality and volume of monitoring they provide, the convenience of their service and the safety of their data centers.

The product automatically monitors all of the potential sources of identity theft so I don’t have to do it myself. I receive a monthly email letting me know if there are any areas that I should be concerned about. That way, I only have to think about it when necessary. Again, convenience is crucial—If we make it easy to be safe, we will be safe!

You should expect to spend approximately $150 per year for a good service. Keep in mind this is likely less than you spend to insure your car and home, which are worth far less than your identity.

3. Opt Out of Financial Junk Mail

There are complete industries built around collecting, massaging and selling your identity data and habits. Companies buy bits of your privacy so that they can knowledgeably market products to you that you are likely to purchase.

“Pre-Approved” credit card offers, for example, are major sources of identity theft. They give thieves an easy way to set up credit card accounts in your name without your consent. The thieves then spend money on the card, leaving you with the mess purchases that you didn’t make.

The solution is to “opt out” of receiving financial junk mail such as pre-approved credit, home loan and insurance offers. Notify organizations that collect your personal information to stop sharing it with other organizations. This minimizes the amount of your personal information bought and sold on the data market.

To easily opt out of pre-approved credit offers with the three main credit reporting bureaus, call 1-888-567-8688 or visit www.OptOutPreScreen.com.

Have your employees begin to conquer these initial tasks—completing the tasks will help your them understand identity security and be ready to take on the remaining four tips, coming soon.

[cm id=’john-sileo-bio’]

Load More Posts