6/30/2017
Stay a Step Ahead of the Bad Guys
Bill McCurry
Make something idiot-proof and a smarter idiot will step forward. The “hack-proof” EMV chip was introduced in Europe in 1993. The initials stand for the original companies that created the standard: Europay, Mastercard, Visa. It came to the USA in 2012. By 2020, all venues are expected to be compliant.
The chip, unlike the magnetic strip with its unchanging information, creates a new transaction code with every use. Initially, its use significantly slowed fraud, but very quickly crooks found ways around it.
You may not have heard of the CNP Expo. I hadn’t until I attended in May. CNP (CardNotPresent) is a trade show for those in website security. Its goal is to stay one or more steps ahead of the crooks. Brett S. Johnson, once called the Cybercrime Godfather, was a keynoter. His largest headlines came after he worked as an expert hacker with the Secret Service—while using government computers/offices for his fraudulent schemes. Now out of prison, Brett is teaching others how to stop fraud. It’s his way of giving back. Brett takes full responsibility for his actions, regrets his decisions and realizes he can only look forward.
He told us many of the bigger fraudsters had been caught multiple times for petty crimes. Since they faced zero consequences for these misdemeanors, they continued to refine their skills. Without saying “always prosecute,” Brett did raise the question of how many fraudsters might have reformed if they’d been punished for shoplifting, kiting checks, stealing from the till, etc. “Empathy” for a petty thief does them and their victims a disservice.
Brett told us hackers have figured out how to work around the chip. When it malfunctions, the card terminal asks that the card be swiped. If the “customer” inserts the wrong edge in the chip reader, they may be asked to swipe the card. Hackers know how to trick the reader into saying “Swipe Card.” A non-functioning chip doesn’t always mean it’s a bad guy with a bad card, but the chances are higher.
If you must swipe an EMV card, protect yourself by requesting a picture ID. Compare the name on the ID to the name on the card AND the name printed on the receipt AND the name shown on your terminal. All four should match. Finally, confirm the last four digits printed on the card and match those printed on the receipt.
If it’s a fraudulent charge but you’ve done due diligence, you may successfully fight the chargebacks, assuming your system is EMV compliant. If you aren’t EMV compliant, it’s guaranteed all losses are yours.
Skip Myers is Director of Loss Prevention and Risk Strategy for Micro Center. His background includes 30 years in law enforcement. Skip has a new acronym garden centers don’t hear about—ORC (Organized Retail Crime). There are networks of thieves stealing anything/everything anyone wants, nationally or internationally. They communicate with each other. They share who they feel are easy targets and who aren’t.
To protect your assets, Skip tells retailers to remember The 4 Ds:
Detect—Alarms, lights, security cameras, etc.
Deter—Keep valuables out-of-sight, locked up, watched, etc.
Delay—Keep valuables chained down and further from the door, etc.
Deny—Customer service team always on lookout, security at the door, locked storerooms, etc.
Skip advises you look at your store like a thief does. What is your store telling you? Can you change the traffic flow, display height or CCTV cameras to make that space less enticing?
Constantly updating your loss prevention strategy is more critical today than it was yesterday. Saving your corporate and personal assets is a critical step to ensuring your financial future.
GP
Bill would love to hear from you with questions, comments or ideas for future columns. Please contact him at wmccurry@mccurryassoc.com or (609) 688-1169.