Every time a big credit card-related data breach occurs, it immediately becomes a huge story, and understandably so. Millions of credit card accounts can be compromised in such events and potential fraud losses are also measured in the millions of dollars. Just last year we had a couple of big data breaches: the Zappos breach in January that may have compromised as many as 24 million customer accounts and then the Global Payments breach in April, which reportedly affected 1.5 million cards. Whereas each of these companies did a great job at containing the damage and managed to swiftly recover, not every victim has been as lucky in the past. In November of 2008, RBS Worldpay, the U.S. payment processing subsidiary of the Royal Bank of Scotland, suffered a hugely sophisticated and well-organized attack, in which hackers managed to take over the processor’s computer systems, increase the funds available on compromised card accounts (in some cases to as much as $500,000), as well as to raise the limits on the amounts that could be withdrawn at ATMs and then proceeded to withdraw $9.5 million from some 2,100 ATMs in 280 cities. It was a spectacular cyber heist.
So hackers present a real and present danger for payment processors, merchants and every other organization which stores payment card information and data protection is a never-ending race in which the good guys are constantly trying to stay a step ahead of the criminals. Well, this morning The Wall Street Journal’s Steve Rosenbush is updating us on the latest data security measures implemented by Visa — the world’s biggest payment network — and the progress made over the past few years has been truly impressive.
How Data Are Stolen
Ellen Richey, Visa’s chief enterprise risk officer, tells Rosenbush what her company is up against:
We are confronting a criminal population that continues to improve its sophistication and its attack vectors, so we can’t stand still. You see the criminal capability evolving on the technology side. They are getting into the systems of [Visa] stakeholders and other companies that process payments, and they are able to encrypt their own movements on networks, sometimes for months, and exfiltrate the data.
As it happens, some hackers have been willing to get into details about precisely how they are going about the data exfiltration Richey is talking about. Just a couple of months ago, French newspaper Le Monde had a wonderful piece on the subject, which was shared with us in English by Worldcrunch. In it, one Romanian hacker told us precisely how he manages to “bamboozle four or five users per week, leaving me, in the end, a few dozens or a few hundred thousand dollars richer”:
It’s a big world we live in and it’s full of idiots ready to buy anything on the Internet. We sell fictitious products, we clone websites and hack credit cards. In Europe, in order to get the cash in, we use “arrows” (money mules) — their only job is to withdraw the money previously sent to an account. They keep 30% of the loot and then send us the rest via Western Union.
What’s even more amazing is that, as Le Monde’s article made clear, these guys are not exactly hiding. So what are the Visas of the world doing to protect their systems from hackers?
Using ‘Big Data’ to Fight Hackers
Rosenbush reports on what Visa has been doing to fight off the threat:
To confront the risk, Visa introduced a new analytic engine in August 2011, which she [Richey] says has changed the way the company combats fraud. The analytic platform harnesses the power of Big Data — a term that refers to larger and more varied set of data, powerful algorithms, and underlying hardware and software that runs calculations faster and more cheaply than traditional databases or analytic engines. The company estimates that the model has identified $2 billion in potential annual incremental fraud opportunities, and given it the chance to address those vulnerabilities before that money was lost.
Since Visa moved its authorization system (and fraud detection efforts) online 20 years ago, fraud has declined by two thirds, Rosenbush tells us. Yet even so, 0.06 percent of the dollar volume of transactions processed today is believed to be fraudulent. That may seem as an insignificant ratio, but the amounts that are processed are mind-boggling. According to the Nilson Report, an industry newsletter, in 2011, Visa alone processed payments worth more than $8 trillion. So yes, even at a level of 0.06 percent of the processing volume, fraud is unacceptably high. But Big Data (by the way, am I the only one who thinks that this is an awful term?) is now coming to Visa’s aid, promising to greatly improve the effectiveness of its fraud prevention system. It’s simply a matter of brute computational force:
Earlier analytic models studied as little as 2% of transaction data. Now the company said it endeavors to analyze all of its data. In the past, the company based its security assumptions on average fraud rates for merchant categories, like grocery stores. Now it said it can analyze the actual market, right down to individual merchant terminals. That allows it to drill down on hundreds of attributes, such as average authorization volumes, average ticket sizes and frequency of purchases that turn out to be fraudulent, the company said.
So Visa is telling us that it now has the computational resources to allow it to become the guardian of each individual point of card acceptance. And, of course, the ability to analyze greater amounts of data will enable the payment network to identify with a much higher degree of accuracy the weakest points of its payment processing system. Prepaid cards have already been found responsible for 85 percent of all fraudulent Visa transactions in amounts of $200 or more.
Even though Visa has been investing heavily in its fraud-prevention system, as undoubtedly its rivals have also done, its efforts are yet to produce measurable results here in the U.S. In fact, a recent Europol report told us that most of the fraud committed with European credit cards actually takes place in the U.S. The reason is that the EMV standard for credit card acceptance, which is the norm in Europe, is more secure than the magnetic stripe-based one we still use on our side of the Atlantic and criminals are finding it much easier to use their stolen European cards in the U.S. Unfortunately, although all payment networks have set out plans for transition to the EMV standard in the U.S., that process will take years to complete and so Visa should brace itself for more losses.
Image credit: Visa.