According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

A recent data breach discovery serves as a reminder that even when you’re on vacation, cyber criminals never sleep.

Vacationland Vendors, a company that supplies vending machines and video games to entertainment venues, recently reported that an unknown intruder penetrated its point of sale systems, resulting in a data breach affecting approximately 40,000 customers at waterland resorts in Tennessee and Wisconsin.  Although credit card and debit information was apparently stolen between December 2008 and May 2011, Vacationland Vendors did not state how the breach was discovered or whether affected customers have been notified.  The company did issue a general recommendation to anyone who visited the affected resorts within the targeted time frame to remain vigilant for fraud activity on their bank and credit card statements and to consider adding a fraud alert with the major credit bureaus.

The Vacationland Vendors data breach highlights the continued vulnerabilities of point of sale technology to crafty cyber criminals.  Heartland Payment Systems, a leading payment processing company, discovered this several years ago when it was hit by a historically large breach that exposed the accounts of as many as 100 million cardholders.  The same kind of breach affected CardSystems Solutions when a breach exposed the accounts of 40 million debit and credit card holders, leading to the sale and ultimate closure of the company.  Indeed, the theft of credit card data is one of the most common forms of fraud and the very reason that the Payment Card Industry Data Security Standard strengthened its requirements of payment card device vendors last year.

The debate about how to best secure credit card transactions has continued this year with the burgeoning introduction of end to end encryption technologies that can better protect cardholder data throughout the entire transaction process.  An example of improved safety mechanisms in the POS process is newer chip and PIN technology, as evidenced by Visa’s recent announcement that it is accelerating chip migration and adoption of mobile payments.

Until the technology around POS systems is more bulletproof, it’s especially important for companies to implement added safety measures around its current credit card payment processes.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

The tourism industry may be bouncing back from the worst of the recession, but occupancy, unfortunately, isn’t the only thing on the rise.  So are data breaches.

According to a new report by British insurance firm Willis Group Holdings, insurance claims for data theft worldwide jumped 56% last year, with the largest share of those attacks – 38% – targeting hotels, reports and tour companies.

Why are hackers increasingly making themselves at home in the hospitality sector?

According to hospitality experts, the reasons are multi-fold:

1.    Labor cutbacks.  Given the recessionary climate, hotels have reduced staff and are trying to do more with less.  While the lean and mean approach may help hospitality businesses bolster bottom lines, it hurts the industry’s front line defenses against hackers.

2.    Software and equipment reductions.  While hotels ride out the recession, security maintenance, implementation and upgrades fall lower in the priority checklist, creating an easy welcome mat for fraudsters.

3.    Multiple entry points.  Customers book hotels through hotel websites, online travel reservation portals, phone calls, email, postal mail, and in-person with concierges.  Each channel offers its own risks for data breaches and must be individually addressed.

4.    Large access to personal data.  The hospitality industry keeps massive amounts of personal data on file for years and can sometimes lose track of what they have stored and where – all within databases that may be far less than bullet-proof.

5.    Guest room computers with flimsy protection.  Those networked desktops that hotels sometimes provide for guests can be so helpful…and harmful.  Often these computers are riddled with viruses or hiding bits and bytes of old customer data.

6.    Insecure cultures.  Even in the best of times, much of the hospitality industry simply doesn’t prioritize security as it should.  By creating business cultures that don’t sufficiently respect privacy, hotels are jeopardizing the trust of their customers.

Given that hackers have identified the hospitality sector as a soft target, what can hotels do to keep these unwanted guests out?  Here are some tips from industry watchdogs:

1. Minimize data collection.  If you don’t need it, don’t collect it.
2. Understand and comply with PCI-DSS.  Make sure your business is completely aware of its “cardholder data environment” and is providing appropriate protections.
3. Find and digitally shred unneeded information.  Old, forgotten data is dangerous. Don’t be “data blind” – eliminate what you no longer need.
4. Simplify your reports.  For example, don’t offer up social security numbers if not needed.
5. Limit access.  Employees should be on a “need to know” basis with PCI and HR data.
6. Split up your network.  Create electronic firewalls that limit the spread of viruses and attacks.
7. Encrypt. Proper encryption renders hacked data unusable.
8. Understand your network.  Review network logs for unauthorized activity, and make sure your security professionals do, too.
9. Don’t put security in the ghetto.  Security isn’t just for IT professionals; make sure your entire organization creates and respects a culture of privacy that prioritizes security as the basis for all of its operations

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

It can be unnerving to be told that your information has been compromised in a data breach.  The uncertainty of not knowing all the details and the anxiety over what information has been exposed is deeply troubling to many consumers.  A breach notice makes us aware of a new risk to our lives that we can’t measure easily.

Often times, there is a lot of speculation surrounding the company’s timing of the breach notification.  The timing of notification may depend upon a variety of state laws, some of which may delay notification if law enforcement is doing an investigation of the incident and has requested a delay to make the investigation easier.  In most breach cases, the company will want to investigate internally prior to making public notice.  It is important to the consumer and the company that they provide a notice which is accurate.  No one is happy when a notice is made public, and then has to be changed as further information comes to light.  Everyone is better served when the company gets the information right the first time.

It is also important to understand the complexities which may surround various types of data breaches. Not all breaches are equal in the amount of risk posed to the consumer.  For instance, some pieces of information about you are generally available and public, and pose little risk to you taken alone, such as your email address, or first and last name.  Credit card numbers that are exposed are a risk, but not a long term problem, as the issuer will provide a new card with a different account number very quickly.

Additionally, malicious attacks on a company’s server, insider (employee) theft, or the theft of mobile devices (i.e. storage devices, laptops) may be more likely to lead to identity theft than accidental posting on a long-ago cached website or papers left behind in an old abandoned building.  Knowing whether or not the breach incident was malicious or accidental in nature may help you to put the level of risk into a better perspective.

Just remember, unless you know otherwise, the fact that your data was compromised does NOT mean you are an identity theft victim.  In fact, there have been millions of people notified that their information may have been breached who have not become identity theft victims. Your response to the breach will depend on the type of information that was compromised.  Here are some steps you can take at this time:

Financial Account Numbers:

This includes checking accounts, credit cards, money market funds, stocks, and bank accounts:

• Close ONLY the affected accounts and have account numbers changed.
• Password-protect all your accounts, the new ones as well as the closed.  This restricts thieves from re-opening closed accounts.
• Monitor your account and billing statements closely
• Report any fraudulent activity immediately to the bank and law enforcement.

Social Security Numbers:
Call the credit reporting agencies.  These are automated and secure systems.   Place a fraud alert with each agency and request a free copy of each of your credit reports.  It is free because your information was breached and you are a potential victim of identity theft.  Do this for any person whose Social Security Number (SSN) was compromised. If the SSN belongs to a child, you should find that there is no credit report available for that child.  If there is a credit report for a child, it indicates that the child’s information may have been used. In that case, you need to get a copy of the credit report in order to repair the incorrect items.

It is also recommended that you call all three credit reporting agencies and not just one.  Check your report carefully for any irregularities.  Sometimes people see errors on the report that were on the report before the data breach occurred.

You can use, without charge, the annual credit reports system www.annualcreditreport.com to monitor your credit report over the next year. Stagger them throughout the year by ordering one every four months.

Or, if you want real-time updates on your credit report, you may want to consider a paid service which monitors your credit report and alerts you immediately upon any change.

Other:

• If your auto or medical insurance policy information is involved, ask the company about their policy to protect compromised policies.
• If it is HR data that was compromised, change account numbers for your 401-K, life insurance, and accounts holding your stock options.  Password-protect these accounts.
• Driver’s License’s – contact your state Department/Bureau of Motor Vehicles and notify them of the theft.  They most likely will not change your number.

The holidays may be over, but scams targeting holiday gift cards purchased by consumers are an unwanted gift that keeps on giving.  The National Retail Federation estimates that gift cards are a $50 billion annual market, so it’s little surprise that fraudsters search for creative ways to grab a piece of the action throughout the year.  These thefts leave retailers in the difficult position of either reinstating gift card balances to victimized customers – and consequently cutting into their revenue and profitability – or sacrificing consumer confidence in the integrity of an important sales vehicle.

Addressing this violation starts with understanding the ways in which gift cards are scammed.  One of the most popular hustles involves covertly copying identification numbers from gift card displays, then stealing funds from these cards after they’ve been purchased by customers.  Scammers typically call to inquire about the balance on “their” card to determine whether cards have been activated; once this is confirmed, the thieves then purchase goods online before rightful customers have the chance to do so.  The hoax is even easier to pull off if employees are the ones cribbing card numbers and can personally monitor when the cards are activated.  Alarmingly, this is just one of numerous known scams, which run the gamut from gift card cloning to selling stolen gift cards on auction websites.

Implementing strong security around gift card programs is key to ensuring its protection for both customers and businesses.  Simple steps, such as altering gift card displays so that actual cards aren’t accessible to the public, as well as building in privacy features like pin codes, can go a long way towards deterring criminal activity.  Internally, companies must also take measures to ward off employee fraud; for example, discarding used cards and monitoring blanks to prevent employees from switching customers’ cards with old or inactive zero balance cards.

Gift cards are a growing market for businesses and should be treated as valuable sales currency, with the same risks of consumer fraud and internal misconduct that are posed by credit cards.  Developing robust safeguards, proper auditing and early detection and reporting of abuse are critical to protecting a program that is popular with customers and profitable to retailers.

The Holiday Season is one of the busiest times of year for consumer-facing businesses.  While Holiday sales can help improve a bottom line, the increased consumer activity also brings many headaches. One of the biggest headaches is falling victim to fraud schemes from wily consumers hoping to take advantage of business who do not have policies or controls in place.  Unfortunately many businesses don’t realize that they are victims until after the most wonderful time of year.

According to a recent article, use of a stolen credit card to purchase merchandise is one of the most common forms of fraud.  However, fraudsters are becoming more sophisticated and have learned to steal credit card information by intercepting transmissions from retail credit machines.   Scary isn’t it?

What can a business do to protect itself from damages now and in the New Year?  There are three things your business can implement immediately.  For example, require employees who process credit cards to ask customers to sign the credit receipt and check signatures on the back of the credit card.  Secondly, focus on delivering excellent customer service.  A happy customer is less likely to retaliate by making charge backs.  Lastly, define and implement a return policy to address the very real threat of merchandise return fraud.

Take the time to discuss threat of consumer fraud with your employees and implement policies to reduce fraud.  Doing so will enable your business to benefit from the seasonal increase in sales.