About a year ago one of the founders of Twitter and some other talented business persons came up with a mobile payment method called square. Square is a very tiny card reader that attaches to the audio port on a smart phone. It’s truly a clever little device that utilizes an existing port that just about every phone has. Merchant’s can sign up with Square without any fee and just about instantly process. Because of the ease of setup, there’s been some angry customers with money held, but something like this should be expected as the services operates on a similar model to Paypal. Square got some quick funding, and went off to the races faster than any payment related service in history. However, there’s a problem…

Unfortunately, Square also introduced one of the most efficient and low cost methods of creating an advanced credit card skimmer. When you sign up with Square’s processing service, you get the square for FREE. That’s right, for free you can turn your iPhone into a credit card skimming device. Thieves don’t even have to pay the $50 or so for a skimmer anymore, they get one for free. Not only is Square efficient and free, but they’ve already distributed hundreds of thousands of these little skimming nightmares all over the US.

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

There are 2 major problem with the Square hardware.

First, the square device does not encrypt data being transmitted between the reader and the phone. This could easily leave the service open to a targeted attack where other software could read the card information when it is being transmitted between the reader and the phone. This sort of issue may never be a major problem as it would take very specific software or a compromised phone for this flaw to be taken advantage of. However, it still remains a security possibility, one that cannot be overcome without updating the hardware completely.

Second, since the hardware has no encryption or secure link between it and the phone/square service, a programmer could easily write a program that would simply record the card information onto a database or file on the phone. This is the main problem that Verifone and many others are up in arms about. With the large memory cards that are commonly found in phones, a thief could theoretically store millions of card numbers on their phone. Additionally, since just about everyone has a cell phone, it is considerably less conspicuous for a thief to skim cards with a phone than with the dedicated skimmers which look something between a pager or a magnetic card reader you would see attached to a computer.

This morning, VeriFone launched an entire website dedicated towards bringing down square. While VeriFone is a direct and probably the largest competitor of Square with their PayWare Mobile App, they have quickly illustrated not only that the square can be used for skimming, but that there is software that can already be used with the square hardware.

The problem now is that there are tons of these square credit cards readers all over the place, so the damage has already been done. At this point there’s literally nothing that can be done to prevent skimming using square devices. There’s even applications for blackberry and android that already work with the square hardware even though it was designed for the iPhone and iPad. I think that this sort of hardware is a perfect example of what happens when a company pushes software or hardware without putting enough in the research in how to make it secure. There’s more than 1 way to steal a credit card number…

With the amount of focus on PCI and data security of the last 10 years this is a blatant disregard for the most basic best practices, even those established 10 years ago. Twitter may be a whimsical concept, but there’s really nothing amusing about completely botching credit card data security at the expense of consumers and the businesses whom accept those stolen cards…

Update 03-10-2011

So, Jack Dorsey issued a rebuttal to VeriFone‘s website and statements about the Square.

Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.

What’s not fair or accurate is Jack Dorsey’s fundamental lack of understanding of how the credit card industry works! Any merchant knows that if they accept a credit card that was stolen, they are liable for the fraudulent charges. There’s no magical credit card company that’s going to float in and take responsibility for it. The merchant loses when it comes to credit card fraud, plain and simple.

This disregard to merchants all while Square is trying to sell them a processing service is simply insulting. I’m a merchant as well, and this is just disrespectful.

After reading this, I am completely convinced that Jack Dorsey and Square have no business providing a payment service of any type to anyone. Stick to tweeting…

More than any resource I’ve seen before it, this paper gives a clear and easy to understand description of the current state of electronic crime.

Blippy is a service that allows people to share and discus, the purchases that they are making in near real-time. Basically, every time a Blippy user makes a purchase using their credit card, it shows up on Blippy. A little bit like twitter, a user can also embed their blippy feed on their blog, facebook profile, other social network, or website, and their followers can track and discuss every purchase that they make. For this to work smoothly, Blippy obviously needs to store and access some very sensitive information.

This data breach looks like it was extremely small, completely insignificant for realistic purposes, but I think it brings up some very strong points that should question card issuers stance on protecting their card holders.

The reason that Visa and MasterCard should provide some sort of protection for merchants, is that if card holders are stupid enough to share their credit card and bank login information with a social networking site such as Blippy, there’s really no reason that they should be continue to be protected at the expense of merchants. It’s simply absurd to think that merchants should bear the cost of people so ignorant that they would give their banking information out to some random website. “Social networking” and “security” are 2 terms as synonymous as fire and water.

One could always argue that Blippy should have kept the information more secure, which is obvious, but the real problem here is that credit cards are not meant to be used in this manner. It’s just baffling to me that someone would actually enter their card or bank login into any site that they do not have a close relationship with, or are making a purchase from. Then to expect their bank to cover them from unauthorized charges, is just beyond any reason. It’s reckless on Blippy’s part to make a service based on and requiring such sensitive information, and it’s even more reckless for card holders to share this information.

A quick example of the absurdity of this service is a line in Blippy’s terms of service:

Privacy: You may not publish or post other people’s private and confidential information, such as credit card numbers, street address or Social Security/National Identity numbers, without their express authorization and permission.

Hey, but Blippy can publish yours…

To me, this service is clearly crossing the line where credit cards were not mean to and should not go until major modifications to security and merchant protection are established!

To top it all off, Blippy issued this statement on their blog:

In general, it’s important to remember that you’re never responsible if someone uses your credit card without your permission.

As a merchant and a merchant service provider, I don’t want to end up taking a stolen card because a card holder decided to hand out their banking information to a social networking site, who thinks that chargeback expenses are somehow covered by a magical chargeback fairy. It’s the merchant that accepted the card who eats the cost of your poor programming, and complete lack of data security. I think Visa and MasterCard need to step in right now and quash this type of service, and specifically Blippy. It’s really simple, as Blippy is not involved in any part of a credit card transaction, they have no right to a card holder’s transaction information.

Blippy has issued resolutions to prevent this from happening again, but realistically their service should be canned now! My hat goes out to anyone who can get a $12M investment in a service that lets people share their purchases with the world, but it’s time that this is stopped before it gets out of hand.

Here is 10 items that should be checked on every order before shipping. If you do nothing else for fraud screening at least cover these basic principals to help prevent some of the more obvious fraud.

If any of these are true, it’s a good idea to further review the order, or contact the person making the purchase before shipping.

1. Billing and Shipping Addresses Don’t Match
2. Requesting Overnight Shipping
3. Order is for Multiple Quantities of the Same Item
4. Items Being Ordered are Mainly of High Value
5. Order is for Uncommonly Purchased Items
6. Different but Related Products Being Ordered
7. AVS and/or CVV Verification Failed
8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved
9. Customer’s phone number and/or email look unconventional
10. Order is Being Shipped to Africa, Asia, or Eastern Europe

1. Billing and Shipping Addresses Don’t Match

This should be the first sign of potential trouble. While not impossible, it is rare for fraudulent orders to be shipped and billed to the same address. Someone making a purchase fraudulently will often have the item shipped to a forwarding address or other location that they are not personally associated with.

It is common for shoppers to ship to their home or business address which may be different from their billing address. Nevertheless, it’s a good idea to at least take a look at orders that do not have matching shipping or billing addresses. If an order is being billed to Omar Patel in Houston, and being shipped to John Smith in Seattle, you may want to ask why…

2. Requesting Overnight Shipping

While it’s completely reasonable for a customer to want their order ASAP, expedited shipping is a very common trait of fraudulent orders. The thief needs to get the merchandise as quickly as possible before a chargeback is made. With slower shipping methods, the merchant has the opportunity to halt the shipment if they receive a chargeback, or identify the order as fraud, which would make nullify the efforts of the thief.

3. Order is for Multiple Quantities of the Same Item

Many times, fraudulent orders are made with the intention of reselling the merchandise on eBay, Craigslist or locally. Multiple items make an easier sale and easier money especially if the items are in high demand.

Depending on your industry you may often get orders for multiple items, so this rule applies much less to some industries. For us, we often get orders for 10 or more credit card terminals as many businesses have multiple locations. Over time, you should be able to better identify common ordering trends.

4. Items Being Ordered are Mainly of High Value

As with above, since many fraudulent orders are placed with the intention of reselling the merchandise, the most expensive merchandise often yields the greatest rewards. The merchandise can be quickly sold and the thief can makes a decent profit even when discounting 50% or more. The higher the value of the merchandise to you, the higher the value to someone trying to steal it.

If your average order is $200, you should definitely take a closer look when someone places an order for $10,000. Also, keep in mind that the larger the order, the more damage to your business if a fraudulent order is successfully placed.

5. Order is for Uncommonly Purchased Items

I’m not entirely clear on the reasoning behind this, but it’s not uncommon for fraudulent orders to be for items that are rarely purchased. Most likely it is due to careless research on the thieves part. If you sell thousands of orders per year and have never sold some particular item, I would be suspicious when someone comes along wanting it. There’s usually a reason why some products sell a lot and why others never sell. It’s not common for only 1 customer ever to be interested in an item that you offer.

New ecommerce sites will have a hard time with this rule, but once you establish some sales history and if you really know your products, it’s easy to spot and flag orders with uncommon items in them.

6. Different but Related Products Being Ordered

Let’s assume you sell LCD TV’s online. It’s very common for someone to come along and purchase a single TV. Maybe you have a sale and someone purchases several TV’s on sale, still a completely reasonable scenario.

Now, let’s say someone orders 5 TV’s, and every one is a different brand and size. This should immediately raise a red flag. Yes, it’s possible that someone wants 5 completely different TV’s, but purchasing products like this is not a common shopping or even human behavior and warrants further investigation.

7. AVS and/or CVV Verification Failed

While the majority of the largest ecommerce sites still do not require CVV, it’s a really good idea for you to. If your customers are US based, requiring a positive AVS zip code match is also a good idea. AVS verifies the address of the cardholder, and CVV verifies that the person placing the order has at least had the physical credit card in their possession. Even if  the card number was stolen, odds are the thief does not have the CVV number unless the entire card was stolen.  If the entire card was stolen, there’s a good chance that the owner would have canceled it already. CVV costs nothing, and I strongly recommend all merchants to at least require it to be submitted. Because the number can be worn off the card, I do not always recommend a positive match, but this is something you need to assess specifically for your business and your customers. When in doubt, require it!

8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved

This works in conjunction with AVS and CVV verification. If someone is attempting to place orders using a stolen card, it’s common for several declines due to an incorrect address, expiration date, or CVV.  Keep a close eye on customers that submit multiple declined or AVS/CVV mismatch transactions. 1 or 2 errors may be common, but if you start seeing a group of attempts it may be a sure sign of fraud.

If you start seeing hundreds or even thousands of attempts it is almost certainly an entirely different type of fraud called carding. This type of fraud can be very costly to your business even if you never lose any merchandise, so it’s important that you promptly address and correct the situation that is allowing it.

9. Customer’s phone number, email and/or shipping information look unconventional

You wouldn’t believe how many times fraudulent orders use incorrect, fake, or just plain goofy email addresses, phone numbers, and ship-to information. If you get bounced receipt emails, see an email like fbi.gov, see phone numbers like 555-555-5555, or are shipping to Mickey Mouse, you should probably be concerned about the order being fraudulent. Additionally, if the phone number contains a country code, or incorrect area code, there’s a good chance that someone just typed the first digits they could into the phone number box.

Most business and personal land-line phone numbers can be researched just by entering them into a google search. At the very least you can figure out if the area code matches the billing or shipping address, and if the number is actually valid.

10. Order is Being Shipped to Africa, Asia, or Eastern Europe

I don’t want to discriminate against people in any particular country, but it’s a fact that a lot of fraud originates in a few select regions and countries of the world. Unless you have experience in international-commerce, it’s a good idea to only cater to your own country, or ones you know and trust very well. I wouldn’t even consider shipping a product to most African countries, East Asia, Eastern Europe and Russia. Also, some areas like Amsterdam are notorious for credit card fraud. Be very careful when accepting international orders.

Even if an order isn’t fraudulent, international orders can introduce a multitude of additional customs, credit card processing, and legal requirements, and can make processing returns very difficult. Something as simple as shipping from the US to Canada, can present a number of problems and costs that many website owners are not prepared to deal with. I strongly suggest doing a lot of research and finding someone who has real experience before venturing into international shipping.

Final words…

I can guarantee that every online merchant will face some form of credit card fraud. Credit card fraud is a minor inconvenience to some, and will end others’ online ventures. Not all merchants need to use some of the more advanced fraud screening methods out there, but everyone should cover the basics.

I stumbled on a Visa operating regulation that I was not aware of. “You cannot require an ID in order to complete a Credit transaction.” Furthermore, you cannot decline or refuse a transaction if your customer refuses to provide an ID.

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures.

The author was completely wrong as far as MasterCard goes, who takes a different approach to the situation…

For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used), request personal identification of the cardholder in the form of an unexpired, official government document. Compare the signature on the personal identification with the signature on the card.

American express is a little vague, but still states that the identity should be verified…

Verify that the customer is the Card-member. Cards are not transferable.

It’s actually hard for me to believe that Visa goes this far in trying to protect their cardholder’s convenience at the expense of their merchants being exposed to potential fraud. I strongly recommend checking the ID of every card holder. No regulation prevents a merchant from asking for an ID, and I can’t imagine a customer seriously refusing under any normal circumstance. Merchants are not allowed to ask for an ID on “PIN” debit transactions where a customer enters their PIN number into a pinpad. For signature debit, where the card is processed like a credit card, treat the transaction just like credit and ask for an ID.

If anyone would like to see the various card regulations, they can be found here:
Visa
MasterCard Chargeback Guide
AMEX

Discover’s site requires registration, and I was unable to register with the Discover numbers of the 4 merchant accounts that we have. If anyone has a copy of Discover operating regulations, I would love to see them.

Phase V – July 1, 2010
Phase V mandates the use of payment applications that support PCI OSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as PA-DSS compliant.

Put this into perspective. There are currently millions of websites using paid and open source software for their online stores. Software like Oscommerce, Zen Cart, Magento, and others have millions of users. There are only 2, online store software packages that are PA-DSS compliant. If there is not a mass-movement to get software PA-DSS compliant in the next year, almost every single online store will be out of compliance and subject to fines, or being shut down. This is only a small part of the problem. There’s still thousands of retail businesses using older payment software and the cost of upgrading would be in the millions, assuming it’s even possible.

As written by Evan Schuman
“Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.”

Where the real mess begins…

There are currently about 40 companies certified to perform PA-DSS validation. The cost to certify a single payment application could be $100,000 or more if the application is extremely complicated. There is an additional “mandatory” yearly fee of $1250 just to be listed as a Validated Payment Application. Based on cost, and complexity, there’s not many shopping cart software providers that can come close to getting PA-DSS certified in the next year. Even then, that still leaves the open source solutions, which the majority of all ecommerce sites are using.

From Rick Wilson
“What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that “essentially if an application can’t be PA-DSS certified because it’s not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance”.

Level 1 certification is nearly as expensive as PA-DSS certification, so don’t expect any relief from if you’re using a custom or open source solution. They’ve truly left no way out this time…

In conclusion…

We’re about to experience a payment industry nightmare potentially having the ability to halt commerce as we know it. If you thought that the $20 per month fee from your processor was bad, you’ll really hate the $50,000 bill when you go to get level 1 certified. If Visa takes the hard-line stance that merchants not using PA-DSS certified software get shut down, it’s going to get really ugly. The current focus of the processing industry is on PCI-DSS compliance and a slew of new fees and charges related to it. But, in about a year, we’re going to see the true fallout of implementing ineffective regulations without foresight into what it actually takes to adopt them, or whether they actually do anything. The only thing we got out of the congressional hearing on PCI is that congress thinks it’s not enough, and merchants think it’s way too much.

Houston, we’re about to have a problem!

Related reading…
PA DSS in One Easy Lesson…Sort Of
PA DSS Is Remarkably Misunderstood
PA-DSS and Ecommerce Web Hosting

Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…

The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.

I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.

Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.

Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.

In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.

When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.

Every time a credit card is reported as stolen, a huge amount of past data about that card is put into a big database. This database of pre-fraud activity is used in a large algorithm to look for similarities, which can signal the origination of stolen or lost credit card numbers. Since Visa and MasterCard have access to billions of transactions worth of information, they can screen for events that may signal that a business is losing card numbers.

If you were to greatly simplify this system and a map from it, it would look something like this:

In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.

Let’s assume there isn’t any conclusive evidence that cards were stolen from a single business. Issuers are also looking at the processor a business is using. If there is a common processor or processing network that many businesses are using, it could be a signal of a data breach on a processor level.

The similarity in this case is the processor that many of the businesses were using. This is basically how the Heartland breach was discovered. Unfortunately, the only companies that can see fraud like this are ones that have access to huge amounts of past card usage. Their computer systems basically load billions of pieces of data about transactions, the businesses that accepted a customer’s card, and the processors who processed them. When enough lines meet up at a single point, there’s a chance that something happened there. It really doesn’t matter where in the process of a transaction the lines all cross, just that they do cross.

Keep in mind that these diagrams are grossly simplified, think a billion times simplified. But, it’s easy to see that if you have the right data and know what to look for, fraud can be easy to spot.

Here’s a great map of credit card fraud in the UK. While not a processor related point, this is the best visual demonstration of visually spotting fraud hot spots on a map that I have seen.

This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).

Download the security alert »

Table 1, Search for these programs:
Filename	Purpose	MD5/SHA-1 Hash(s) or Registry Key
appsqlio.exe	Reverse shell tool	387cda6eb91f0b3a054de20c02320338
obsqlio.exe	SQL output redirector	f640e53718bc83cb8bb10b1eafb50edf
blobsqlio.exe	Packed version of gsecdump	959523fc10584da9bfb31a524ff472aa
sn.exe	Packet sniffer	e07b83abda5b566b3e9a30515a59ecc3
msdtsc.exe	Packet sniffer	4724103b13e6ce832fbb2c08a419eac6
svclhost.exe	Network communication tool	da4ab50185c7b246d1d2c8fa7bd7a5ed
rexesvr.exe	Command line execution	003f6cda98a40529cc87fd1387714fd7
svcl.exe	Renamed version of sn.exe	e07b83abda5b566b3e9a30515a59ecc3
eqslquery.exe	Script that automates the installation of rexesvr.exe	bc354dcf5221aea9fae8a3283c09504d
rarx.exe	Compression tool	fd729427144044730c572fd5b9be7dd9
Soft.exe	Backdoor	ea75939da539a3879e5b442b11b51f24
lsasstd.exe	Backdoor	07536e77ece9e70f5bf3d6f357c77b04
lsasstm.exe	Backdoor	e2736b8e0628a07fc3a6dcccad99245e
smn.exe	Backdoor	b0ff54c190455feda3f67b53c4a4453d
mstsk.exe	Utility to inject code on running processes	ddfd9073a5f222e223f5f2156c71629d
Download original…

Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.

The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.