19 February 2018
Pat Carroll


Pat Carroll - ValidSoft

79Posts 349,006Views 40Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  2609 views  |  1

Remote Access Vulnerabilities and “Backoff” PoS Malware to Lead to Potential Next Wave of Target-Style Attacks this Holiday Season

Data breaches, identity theft and stolen payment card credentials are the gifts that keep on giving (or taking, depending on your perspective), just ask any of the 100+ million consumers caught up in the wave of security breaches and Point of Sale (POS) malware attacks perpetrated against retailers including Target, eBay, Neiman Marcus, Michael Stores, and more late last year. As we enter fall and look ahead to this coming holiday season, a new advisory issued by US-CERT, the United States Computer Emergency Readiness Team, provides reason to be concerned that we could again see another holiday season rife with cybercrime.

In the wake of the Target breach and subsequent investigations at numerous retailers, the new US-Cert report reveals potential risks posed by remote desktop applications and weak authentication schemes (poor password policies) – critical contributing factors in the Target breach. The report also examines the rise of new POS malware dubbed “Backoff” which has proven difficult to detect with current anti-virus security software. Together, these two developments mean that retailers and millions of consumers are at risk of having their data - names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses - exposed to “criminal elements.” So before we go through another holiday from cyber-hell, what can be done?

Drawing upon more than 25 years of personal experience in the payment industry, working with banks, financial institutions and government agencies on all matters pertaining to payment transaction security and fraud prevention, the answer remains clear – the industry must realize that a “one size fits all” security-only approach to preventing cybercrime is doomed to fail. What is needed is a logical approach to not only protecting data access, but ensuring that any stolen data is rendered useless to crooks, something that can only be accomplished through enhanced multi-layer, multifactor authentication. The challenge we face as an industry is the how we approach the balancing act between security and consumer convenience for as we have seen, even the adoption of new security approaches to protecting payment cards with schemes such as Chip and Pin (EMV) and even biometrics are not without potential problems.

Whilst we must all continue to assess the ever changing threat landscape and ensure we are all informed about the threat reports coming from US-CERT and other industry groups, we can’t forget that at all times, we need to work together to ensure that we and our customers are protected. The reality is that the industry needs to move forward and adopt a risk adjusted approach to authentication and transaction verification. It’s clear that the primary goal remains “zero friction” and adopting a multi-layer, multifactor approach to fraud detection and prevention can help achieve a “low friction” intuitive interaction with the customer when fraud is suspected or the risk profile of the transaction dictates. Such technology exists today and can help revolutionize a payments world littered with false-positives, abandoned shopping-carts, poor customer experience and high fraud rates. The growing awareness by consumers of such technology should unite them to urge their banks and credit card companies to implement that technology for their protection. It’s just push and pull, isn’t it?

The advent of EMV in the US will create a complex transitional landscape over several years where Card Present fraud will continue to flourish and where Card Not Present fraud (online) will grow. Trust will be severely questioned. Time now for new mindsets, time is now for action, otherwise it is only the cybercrooks that will get gifts this holiday season!


TagsMobile & onlinePayments

Comments: (1)

A Finextra member
A Finextra member | 14 August, 2014, 02:24

Multi-layered, multifactor authentication is what is needed in any viable solution to credit card fraud; however, there is a delicate balance to be struck in any fraud prevention system and that is secrity on the one hand and consumer adaptability on the other. Pat Carroll has always recognized this and has been both an innovator and a champion of multi-layered, mutifactor authentication for years.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Pat

Security by Obscurity is the key!

27 January 2015  |  4104 views  |  0 comments | recomends Recommends 0 TagsSecurityTransaction bankingGroupInformation Security

Chip and Signature, a Paradise Lost

28 October 2014  |  5393 views  |  2 comments | recomends Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  5174 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  2480 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  3876 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInformation Security

Pat's profile

job title Founder/Executive Chairman
location London
member since 2011
Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...

Pat's expertise

Member since 2011
79 posts40 comments
What Pat reads

Who's commenting on Pat's posts