Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

BASKING RIDGE, N.J. – July 28, 2010 –

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company’s prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service – which investigates financial crimes – the report covers 900-plus breaches involving more than 900 million compromised records.

“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation.   “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”

Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace.  It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

(NOTE: Additional resources supporting the 2010 data breach report are available, including an audio podcast, video podcast and high-resolution charts and graphs.)

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including “law enforcement’s effectiveness in capturing criminals.”  The report cited the arrest of Albert Gonzalez, one of the world’s most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

“The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Tippett.  “As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference.”

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

About the United States Secret Service
Well known for protecting the nation’s leaders, the U.S. Secret Service also is responsible for protecting America’s financial infrastructure.  The Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865.  As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes.   As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE, NASDAQ: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world’s most connected IP networks to deliver award-winning communications, IT, information security and network solutions.  We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees – enabling them to increase productivity and efficiency and help preserve the environment.  Many of the world’s largest businesses and governments – including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions – rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

TransArmor^SM Solution Piloted by Spectrum of Brick-and-Mortar and Card-Not-Present Retailers; First Commercial Transaction Tokenized on STAR ® Network

RSA CONFERENCE 2010 SAN FRANCISCO, March 1, 2010 First Data Corporation, a global leader in electronic commerce and payment processing, today announced the expansion of a merchant pilot of the First Data^® TransArmor^SM solution. More than 400 U.S. merchants of all sizes will assess the comprehensive data security solution over the next four months. The TransArmor solution (previously called First Data^® Secure Transaction Management^SM) was developed in close partnership with EMC Corporation (NYSE: EMC).

The TransArmor secure payments service is designed with the needs of merchants in mind, and it has the opportunity to fundamentally change the way merchants secure and manage cardholder data. The TransArmor solution addresses the root cause of merchant data security issues by removing payment card data from the merchant environment as part of processing the transaction, significantly reducing risk and the scope of PCI compliance efforts.

Deploys RSA SafeProxy Architecture
The solution leverages the RSA SafeProxy^TM architecture, a powerful combination of asymmetric encryption, tokenization and key management engineered to provide the benefit of end-to-end protection and eliminate on-site cardholder data storage for merchants. Unique features of the token make it possible for merchants to continue to handle key business functions such as returns, recurring billing, loyalty programs and other analysis, without enabling card data to be used for fraudulent transactions.

On Feb. 26, 2010, the TransArmor solution tokenized the very first commercial transaction over the STAR ® Network at the Center of Science & Industry (COSI) in Columbus, Ohio. A First Data company, STAR is one of the nation’s leading electronic funds transfer (EFT) networks with more than two million retail and ATM locations.

As an early participant in the TransArmor pilot, COSI is already experiencing the benefits of the solution. Like most consumers today, several of our customers had concerns about the safety of their credit and debit card data while visiting our center. TransArmor gives us peace of mind that their payment card data is locked in a virtual vault at First Data and nowhere on site at COSI,” said Brad Morgan, senior IT operations manager at COSI.

Works with Existing Merchant Hardware
Unlike some solutions in the marketplace, the TransArmor solution can be implemented without the need for new hardware or back-end IT operations. The solution works with First Data as well as other terminals or point-of-sale systems and can be consistently applied across brick-and-click environments.

The response from merchants interested in participating in this trial has been enormous and a testament to the sought-after service TransArmor delivers said Craig Tieken, vice president of Merchant Product Management at First Data. Up until now, there have been few easy and cost-effective solutions to the growing problem of managing the risks of handling sensitive payment card data. TransArmor represents a fundamental change in how merchants can confidently protect and manage cardholder data.

The consequences of a merchant data compromise in legal, financial, consumer confidence and brand loyalty terms can be overwhelming. According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204. With the TransArmor solution, customer card information is retained only at the processor and protects merchants from the dangers of malicious attacks designed to steal payment card data in transit or in storage from merchant databases.

Implementing effective data security can’t mean more complexity for businesses, said Brian Fitzgerald, vice president, Marketing, RSA, The Security Division of EMC. TransArmor successfully embeds industry-leading security technology into the payment processing infrastructure to make it available to, and more importantly, usable, by merchants of all sizes. TransArmor is an example of the type of partnerships required from industry leaders that will reduce the reliance on point solutions and enable an industry ecosystem with pervasive built-in security.

Teams from RSA and EMC Consulting worked collaboratively with First Data through product strategy development and technology proof of concept for a successful pilot and product launch.

About First Data
First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries

Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.

MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.

Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. BEWARE IF YOUR form asks for the CVV or CID code, this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant MUST PROTECT THIS DATA AND MUST NOT STORE IT. You can also choose to find a way to process the order that does not require a CVV code, but still protects the merchant from fraud. The AVS or address verification then becomes essential to prevent fraud. If using a virtual terminal, the terminal should require an AVS check.

If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the CVV or CVV2 code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the CVV data. A secure method such as a virtual terminal can prompt for the CVV code and also perform an address check. There is still some risk by taking CVV over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should be avoid writing down CVV whenever possible; if they are written down, follow special PCI Compliance standards to protect the data temporarily until it is securely shredded.

The AVS response can be a full match, partial match, no match, unavailable, or retry.

Full match – both the zip code and address match.

partial match- only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.

no match- zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.

Unavailable- The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.

Retry – The card issuers system is anavailble- try again later.

For more details, please see the Visa Card Acceptance Guide.

If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.

CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.

In conclusion,  whether you require CVV or not is a business decision for MOTO transactions. You must factor in the risk of not taking the CVV and of having data exposed until you’ve used it and then shredded it vs possible credit card fraud. For small ticket orders, you might wish to skip it to reduce risk. For large value orders, you may not want to risk your product going out the door. In that case, be sure to have a PCI Compliance program in place, and train employees. AVS should be required to pass without exception.

Fraud control measures heavily employed to mitigate risk and reduce exposure

March 26, 2009 Deteriorating financial conditions in 2008 coupled with the emergence of new payments types and the growth of electronic payments opened up new opportunities for payment fraud, according to the 2009 AFP Payments and Fraud Control Survey. The assault on payments is widespread: over seventy percent of organizations surveyed experienced attempted or actual payments fraud in 2008.  The survey was sponsored by J.P. Morgan Treasury Services.

Large organizations were more likely to have experienced payments fraud than were smaller ones. Eighty percent of organizations with annual revenues over $1 billion were victims of payments fraud in 2008 compared with 63 percent of organizations with annual revenues under $1 billion.

Since 2005, the Association for Financial Professionals (AFP) has examined the nature and frequency of fraudulent attacks on business-to-business payments and the industry fraud-risk tools that organizations use to control payments fraud.   Continuing that research, in January 2009 AFP conducted its Payments and Fraud Control Survey to capture the payments experiences of organizations during 2008.

Thirty percent of survey respondents report that incidents of fraud increased in 2008 compared to 2007. Further, nearly forty percent of organizations experienced increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S.

According to Nasreen Quibria, Director of Payments for AFP, the fraud attacks on payment activities have occurred at a greater frequency than we’ve seen in the past.  Now, the vulnerability of all payment methods, especially checks, demands a range of fraud-fighting tools and the vigilance of financial and treasury professionals responsible for protecting organizations assets.

Nine out of ten organizations (91 percent) that experienced attempted or actual payments fraud in 2008 were victims of check fraud. The percentage of organizations affected by payments fraud via other payment method were: ACH debit (28 percent); consumer credit/debit cards (18 percent); corporate/commercial cards (14 percent); ACH credits (seven percent); and wire transfers (six percent).

Sixty-three percent of organizations that were victims of actual and/or attempted payments fraud in 2008 experienced no financial loss, and among organizations that did suffer a financial loss resulting from payments fraud in 2008, the typical loss was relatively small at $15,200.

Many organizations are mitigating financial loss from fraud by turning to a number of defensive measures provided by their banks, including:

• Positive pay/reverse positive pay (82 percent)
• ACH debit blocks (71 percent)
• ACH debit filters (55 percent)
• Payee positive pay (50 percent)
• Post no checks restriction on depository accounts (34 percent)

Organizations can also develop and/or modify internal business processes to minimize potential payments fraud risks.  The processes considered important include:

• Stopping the provision of payment instructions by phone or fax (86 percent);
• Increasing the use of electronic payments for business-to-consumer and business-to-business transactions (82 percent); and
• Reducing the number of bank accounts (82 percent).

J.P. Morgan is highly sensitive to the need for vigilance in protecting client assets from fraud, said Iqbal M. Khan, executive director, J.P. Morgan Treasury Services.  We are pleased to sponsor the 2009 AFP Payments and Fraud Control Survey.  We look forward to the data being used to foster important discussion around this issue and to seeing the financial community continue to develop anti-fraud tools that provide the critical safeguards corporates want and need.

The survey includes responses from 629 corporate treasury and finance professionals including assistant treasurers, controllers, cash managers, analysts, and directors.  To obtain a complete report of the 2009 Payments Fraud and Control Survey go to www.AFPonline.org/research.
About AFP
The Association for Financial Professionals (AFP) serves a network of more than 16,000 treasury and finance professionals. Headquartered in Bethesda, MD, AFP provides members with breaking news, economic research and data on the evolving world of treasury and finance, as well as world-class treasury certification programs, networking events, financial analytical tools, training, and public policy representation to legislators and regulators. AFP is the daily resource for treasury and finance professionals.

AFP’s global reach extends to over 150,000 treasury and financial professionals worldwide, including AFP of Canada; London-based AFP’s gtnews, an on-line resource for the treasury and finance community; and bobsguide, a financial IT solutions network.

How can you protect your company from payments fraud? What are the current areas of risk? What are statistics for losses? JP Morgan presentation answers these questions with data for all payment types.

Managing Risk : What Matters Today: Protecting Your Assets is part of a series to help treasury management mitigate risk, among other goals. link to PDF download and webinar.

We’ve identified a number of companies, services, and technologies that are especially vigilent in protecting you against fraud, including JP Morgan. Unlike JP Morgan though, we are not limited to a single vendor option. Our clients can choose from many solutions, including expanding the relationship with their current vendor. We increase awareness of what’s available and help you choose solutions best suited for your organization.

For example, CenPOS has fraud protection solutions to prevent improper credit card refunds.

How can merchants reduce risk of fraudulent card transactions? One of the most widespread credit card fraud schemes involves magnetic stripe counterfeiting. This scam involves re-encoding a valid account number onto an existing magnetic stripe. One way to prevent fraud at retail locations is to require cashiers check the last 4 digits with your software.  We automatically program the last 4 digits as a required field for all retail merchants.   Here is how it works with our host based payment processing technology and a signature capture terminal:

1. approval and a request for signature on terminal; customer signs and presses enter
2. approval and terminal requests pin number if the technology has determined that this transaction would best go through as a pin debit transaction. Customer presses cancel if he/she wants to enter as a credit transaction and is immediately prompted for signature.
3. denial and reason
   • If the magnetic stripe does not match the numbers you key in, the terminal will display “Last 4 Digits Do Not Match/Mismatched Digits” and will halt the transaction. To ensure that you didn’t enter the wrong number, try to run the transaction once more. If your terminal displays the same warning, call the Automated Voice Authorization Center and tell the operator that you have a “Code 10″ authorization.
   • A request for a “Code 10″ authorization tells the operator that a suspicious transaction is taking place. If you can’t speak freely, the operator will read a list of possible problems with the card so you can answer yes or no and avoid alerting the customer. You should attempt to stay on the line and keep the card until the authorization is complete. If the authorization is denied, follow the instructions the operator gives you.
   • If the card is fraudulent, do not attempt to apprehend the card user. If the operator instructs you to retain the card, attempt to do so peacefully. Follow any specific instructions the operator gives, unless they put you at risk.

Any credit card terminal can be programmed to prompt for the last 4 digits. A host based system also allows merchants to change and add security parameters on the fly for all locations.

Is your merchant processor helping you with risk management? For just pennies a day, you can have a host based payment processing solution that will reduce risk regardless of your payment processor, in addition to many other benefits, including cost reduction.