Payment fraud takes a ride on public transit

Transit thiefWhile public transit lets riders save on gas and turn commute time into reading, work, or Candy Crush time, it lets fraudsters test stolen data.

Readers of this blog are doubtless aware that no shortage of account numbers, complete with names, passwords, maiden names, SSNs, PINs, fingerprints, and other personal data, are available for sale on the Dark Web

Still, not every illicitly obtained account number is good. To avoid the inconvenience and embarrassment of a declined fraudulent transaction, thieves are well advised to verify that a pilfered account has not been suspended, closed, or otherwise compromised well before they attempt to go hog-wild with it. 

Lucky for them, account verification is nothing new. The trick is to conduct a quick, initial test transaction so negligibly small that, should it happen to bounce, few are likely to notice, and those who do notice aren’t like to raise much of a ruckus. 

Mass transit payment systems, with their typically low fares, can provide just such testing environment for fraudsters. This was brought to my attention last week by a Salt Lake Tribune article reporting that GoRide, the payment app used by Utah Transit Authority (UTA) is “… a favorite testing site for stolen credit cards.” 

It wasn’t account holders that brought the problem to the attention of authorities. It was an alert UTA analyst. Per the Tribune:

… investigations started when a fare operations analyst noticed a high number of chargebacks from banks … UTA figures thieves were using the GoRide app to test whether stolen credit card numbers were still active because low-cost charges for transit rides may not raise concern by credit card companies and owners initially, perhaps allowing thieves to go on spending sprees for other items with the working numbers.

The affidavits said UTA identified more than a dozen problematic accounts and was able to identify several people and their electronics and financial accounts suspected of using stolen credit card numbers. They said the agency found fraudulent activity dating back to last July.

Not incidentally, the GoRide app is smartphone-based. According to travel rewards website Upgraded Points, smartphones provide the “initial point of contact” for fraudsters 77 percent of the time.

Post script on personal security measures

Though hacking transit transactions for purposes of verifying pilfered accounts may be new, most of the techniques fraudsters use for stealing credit card data are not. This month, creditcards.com shared “10 identity theft techniques to watch out for in 2020.” Some making the list were of the higher tech variety, such as viruses that pilfer information from online shopping carts. But most, such as phishing scams and lifting data that people unwisely share on social media, were lower-tech and have been around for years.

Some merchants may be unwitting allies in credit card fraud. Chargebacks911 states:

The difficulty of identifying fraud online leads some businesses to adopt a defeatist posture. In fact, 47% of online sellers believe fraud is inevitable in the eCommerce environment. A further 20% think it costs too much to control; instead, it’s best to just maximize sales and hope to outpace the fraudsters.

While I have no desire to throw cold water on the development of high-tech and AI-driven fraud prevention, it seems that personal vigilance remains vital and has the power to take a big chunk out of payments fraud. 

Financial institutions can provide a needful and loyalty-building service by educating clients on everyday security measures anyone can and should take. Some ill-informed PR advisors may warn their bank clients from so much as bringing up fraud. But, as I wrote nearly three years ago, “Perhaps paradoxically, the proper presentation of information on staying safe from hackers can increase client confidence by conveying that a financial institution is knowledgeable and cares about its customers.”

Posted in Uncategorized by Matt. No Comments

TBT: A Peek Inside the Brainstorming Session
(Branding a Bank for the Rising Generation)

TBTOriginally posted on October 31, 2013

Here’s a macabre thought to start your day: Older customers will die sooner than younger ones.

It’s a fact of life that has many a financial institution concerned. Rightly so.

I wouldn’t dream of suggesting that bankers’ concern is only for the bottom line. Surely many wish their customers a long life out of pure altruism. Yet even the most altruistic understand that a bank’s life expectancy is tied to that of its customers. A bank that hopes to outlive older customers must attract younger ones.

The problem lies in how to go about trading the outdated image that appealed to prior generations for a new, more with-it image that appeals to younger ones.

CUT TO: THE BRAINSTORMING SESSION. “I have it!” someone says. “Let’s quit making tellers cover their tats!” (“What’s a tat?” asks the CEO.) Someone else suggests decorating branches à la the young person’s hangout. Another wonders aloud what it would cost to hire Justin Bieber or Miley Cyrus as a spokesperson. (“Who?” asks the CEO.) Yet another, who happens to be a Garage Band enthusiast and wannabe rock star, thinks a rockin’ jingle will do the trick. A techie suggests overhauling the website with state-of-the-art animation, games, great colors, hot music, and downloadable tunes and videos. The advertising manager wants to shoot commercials telling viewers that the bank has been misjudged, that in reality no one is more hep. (“What’s hep?” asks the youngest person in the room.)

Were I in the room—come to think of it, I have been, more than once—I would point out that the discussion started off on the wrong foot. Contrived cosmetics do not make a brand. Substance does. If you are cool—whatever that means—it will be manifest in your look and messaging. If you are not, pretending will only make you look pathetic, like a boor who thinks changing his shirt rather than his approach will make people like him.

If the rising generation favors a competitor, dig deep to find out why. Odds are you’ll discover an underlying philosophy, approach, and values that a younger market responds to. You will also find that the outward look and feel, far from contrived, are a natural expression of said underlying philosophy, approach, and values.

Only claim to be what the market wants if you first become what the market wants. Then the outward trappings will speak for themselves.

Posted in Uncategorized by Matt. No Comments

From bezels to bombs: ATM fraud runs the gamut

Bombs

Some thieves take on smart ATMs with high tech gadgetry. Others, you could say, have a shorter fuse.

The United States Department of Justice recently sent notifications to 2,000 residents in my home state of Utah. Recipients are presumed victims of one Alexandru Cosmin Licsor, freshly extradited from Romania. The purpose of the letter was to inform them of Licsor’s Salt Lake City trial, which begins one week from today. According to KSL.com:

Authorities said 37-year-old Alexandru Cosmin Licsor would install skimmers and cameras at ATMs along the Wasatch front then wait for customers to make withdrawals before cashing in on their hard-earned money … 

“It reads the data on the bank cards and they get the pins from persons that enter their PIN. They usually have a camera and that’s how they were able to get the data and they just duplicate it,” said FBI special agent Dave Fitzgibbons … 

According to the indictment, Licsor attempted to withdraw $512,960.13 and succeeded in withdrawing $189,740.30 from ATMs belonging to other banks and as far as New Mexico … The FBI suspects Licsor is part of a larger criminal organization operating in the Netherlands, Italy, Romania and Mexico.

“ATM fraud,” said one Utah resident who prefers I omit his name, “that’s still a thing?”

Yes, Virginia, ATM fraud is still very much a thing, and it doesn’t look like it’s going away anytime soon. Fraudsters develop and install myriad high tech hacks on ATMs. A new PYMNTS.com article reports that David Phister, systems security product management director for Diebold Nixdorf, said that … 

… ATM skimming and jackpotting—where malicious code or hardware is installed at the machine to coax cash to be spit out on demand—remain among the most significant security concerns into the holiday season.

… Phister told PYMNTS that consumers should be especially vigilant about inspecting machines for “false bezels,” which are typically fixed over the card reader or other parts of the ATM, and which can house tiny “pinhole” cameras that record PINs as they are entered on keypads.

Consumers are well advised toward vigilance, but then, there’s only so much that the untrained eye can be expected to detect. False bezels are hard enough to spot, but at least they’re mounted on the ATM exterior. Data theft devices hidden inside the card slot present a bigger challenge—even to the better trained eye. PYMTS.com continues:

Another tactic involves the use of razor skimmers, which [Phister] described as part of the newest wave of fraud. They are, well, razor-thin inserts that fit within the card acceptance slot, and read the data housed within the magnetic stripe of cards inserted into the hacked ATM.

But not all ATM thieves resort to high-tech solutions. Some rely on the more traditional, Butch Cassidy-esque approach, which is to say, explosives. 

In the Netherlands, blowing open ATMs had become so prevalent that, just a few weeks ago, ABN AMRO took the drastic step of emptying and shutting down 470 ATMs. In an official press release, ABN AMRO announced that it …

… has temporarily shut down 470 cash dispensers with immediate effect. This emergency measure is needed in view of the growing number of violent ATM explosive attacks. All cash has been removed from the machines. The past few months have seen a sharp rise in violent ATM explosive attacks, particularly targeting a certain type of cash dispenser used by ABN AMRO.

The move won’t leave ABN AMRO customers entirely ATM-less, however, for only about half of its ATMs are of that “certain type.” The press release continues, “At another 400 locations, ABN AMRO has different types of cash dispensers. These will remain open for use.”

Meanwhile, other Dutch banks, preferring not to tempt explosive fate, are emptying and shutting down ATMs between 11pm and 7am. On December 19, Finextra reported that:

… the operator of the Dutch banking sector’s joint ATM network says the overnight shutdown will take effect immediately. The firm will also move any cashpoints that pose an elevated risk to nearby residents and place them in safer locations. The company is working with De Nederlandsche Bank and the police to implement new measures which will render banknotes worthless if stolen by raiders.

Also:

Over 70 people have been arrested so far this year in connection with ATM bomb attacks by special ATM Raids Units set up by the Dutch police force.

“Digital security is an arms race,” I wrote in this blog in August of 2017:

Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.

What I seem to have overlooked at the time was that, for criminals who prefer not to trouble themselves with technology, there’s always dynamite.

Posted in Uncategorized by Matt. No Comments

(TBT) New Year’s resolutions: the most popular, the most broken

 

TBT 2

Originally posted December, 29, 2016 

The New Year is nearly upon us. I need hardly point out that, for a lot of us, that means making and promptly breaking one or more resolutions.

For a bland definition of the ubiquitous New Year’s Resolution, look no further than Merriam-Webster:

A promise to do something differently in the new year.

For something a bit more entertaining as well as sardonic, the oft-NSFW (consider that warning should you be tempted to click to it) Urban Dictionary offers these (I replaced a couple of NSFW words with bracketed, SFW euphemisms):

The things you promise yourself you will do over the year, but quit after the first 2 weeks.

An assessment of, and often delusional attempt to correct, one’s shortcomings … Given the arbitrary nature of the date and the sudden change of lifestyle demanded by most resolutions, it should not be surprising that most resolutions are abandoned by the start of the next year.

The [malarkey] that people say they will [accomplish] when they are hammered 10 minutes before the New Year comes. Most of this is forgotten by the 3rd of January.

The tradition of using the start of a new year for making resolutions dates back at least to ancient Babylonian times. According to History.com,

The ancient Babylonians are said to have been the first to make New Year’s resolutions, some 4,000 years ago. … During a massive 12-day religious festival known as Akitu, the Babylonians crowned a new king or reaffirmed their loyalty to the reigning king … If the Babylonians kept to their word, their (pagan) gods would bestow favor on them for the coming year. If not, they would fall out of the gods’ favor—a place no one wanted to be.

Popular resolutions today

A number of organizations conduct annual surveys of popular New Year’s Resolutions. GOBankingRates offered respondents a choice of seven. The choice “none of the above” had a decent showing at 30 percent, but “Enjoy life to the fullest” took nearly half the vote with 45.7 percent. Perhaps that shouldn’t be surprising. “Enjoy life to the fullest” is just vague enough to make success easy to claim. Or not.

“Enjoy life to the fullest” also found its way into an annual survey conducted by Nielsen, the company known since humankind walked upright for collecting and reporting TV ratings. Here are the first three of Nielsen’s top ten:

1. Stay fit and healthy (37 percent)

2. Lose weight (32 percent)

3. Enjoy life to the fullest (28 percent)

It wouldn’t be unreasonable to lump 1 and 2 together. TIME does just that in its survey of top broken resolutions, where “Lose weight and get fit” takes first place.

Making a resolution you might actually keep

A cynic might aver that the point of New Year’s Resolutions is not to keep them but only to make them and then be done with them. Fair enough.

But those genuinely interested in keeping their resolutions might check out the work of British psychologist Richard Wiseman. Wiseman is known for researching the offbeat, including a search for the world’s funniest joke (which Miami Herald humor columnist and author Dave Barry did his best to skew toward any joke ending with the punch line … well, click here), a scientific investigation into the nature of luck, and contents most likely to ensure the return of a lost wallet. In 2007, Wiseman researched New Year’s Resolutions, tracking “… over 3000 people attempting to achieve a range of resolutions, including losing weight, visiting the gym, quitting smoking, and drinking less.” He reported that:

At the start of the study, 52% of participants were confident of success. One year later, only 12% actually achieved their goal. The study uncovered why so many people fail, and what can be done to help ensure success.

As to the part about “what can be done to help ensure success,” Wiseman listed a number of recommendations. These include making only one resolution, planning the resolution well before January 1, avoiding previously failed resolutions, and being specific. Wiseman’s brief post on the subject is well worth a read.

imgres

For those who find Wiseman’s advice too demanding, here’s an infallible method for keeping a New Year’s Resolution: Wait for December 31, look back over the year, find something you accomplished, and then make accomplishing it your retroactive resolution. You won’t convince anyone, including yourself, but at least you’ll be able to claim success.

As for my 2017 resolution, I have chosen one that is eminently attainable: It is that the Broncos will win every game.

Posted in Uncategorized by Matt. No Comments

Bootstraps and the unbanked

boots-148047_1280I shall open this week’s post by quoting Neal deGrasse Tyson. Tyson is a bestselling author, director of the Hayden Planetarium (part of the Department of Astrophysics at the American Museum of Natural History in New York), and, according to People magazine, the sexiest astrophysicist alive. 

(One wonders why People felt the need to qualify “sexiest astrophysicist” with “alive.” It’s hard to imagine a sexy deceased astrophysicist. It’s remarkable enough that there’s a living one.)

But this post isn’t about astrophysics or sexiness. It’s about banking and bootstraps.

So, anyway, the quote. It’s from Tyson’s address to the University of Massachusetts graduating class of 2015:

It’s OK to encourage others to pull themselves up by their bootstraps. But just remember that some people have no boots.

What brought Tyson’s statement to mind this week was a recent Finextra article entitled, “HSBC offers homeless people bank accounts.” The article says that HSBC …

… is working with charities in the UK to help homeless people who do not have fixed addresses or photo IDs to open bank accounts, which can be managed in branches or online. 

More than a wonderful thing to do, it’s a needful thing to do. Finextra continues:

… there are an estimated 320,000 homeless people in the UK, many of whom face financial exclusion because they do not have a fixed address or the appropriate ID needed to open bank accounts.

Backing up that claim was Business Insider, which recently observed, “Financial inclusion has been seen as key for reducing poverty.”

Thing is, if you need a banking relationship to exit poverty and you can’t get a bank account because you’re poor, you’re trapped in a vicious circle. You’re doomed to remain unbanked. Bootless, if you will.

So kudos to HSBC. They might just be offering a bootstrap to the homeless and others struggling with poverty.

In the United States, according to a report by the White House Council of Economic Advisers:

Over half a million people go homeless on a single night in the United States. Approximately 65 percent are found in homeless shelters, and the other 35 percent—just under 200,000—are found unsheltered on our streets (in places not intended for human habitation, such as sidewalks, parks, cars, or abandoned buildings).

Their estimate may be low, for homelessness is a moving target. According to the Urban Institute:

… over the course of a year at least 2.3 million and probably as many as 3.5 million people experience homelessness at least for a short period.

Out of the total U.S. population of 327 million, a half-million or even 3.5 million—about 0.153 and 1.07 percent, respectively—may not seem significant if you view them as cold, hard numbers instead of as people. All I can say is that the moment you imagine yourself or a loved one a member of that population, the number becomes considerably more significant.

The HSBC’s UK program may provide the homeless with “boots.” I’ll be eager for news of the program’s results over time. If a number of homeless grab that strap and use it to begin pulling themselves out of poverty, we in the U.S., indeed, the world, may have a worthy model to follow.

Posted in Uncategorized by Matt. No Comments