Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

What Healthcare needs to learn from Retail after the Anthem Breach

by Avivah Litan  |  February 7, 2015  |  2 Comments

It seems like every news analysis article on the Anthem healthcare insurance breach headlines that data encryption is the solution that will stop similar breaches in the future.

Too bad these commentators’ have such short memories and forget what’s happened in the retail industry where PCI rules enforcing data protection (e.g. encryption, masking or other techniques) for data at rest and data in motion over public networks has done virtually nothing to stop criminals from hacking large retail chains like Target, Home Depot, Staples etc. etc. etc. These large scale hacks have occurred after U.S. retailers and other payment card acceptors have spent tens of billions of dollars securing – and often encrypting – credit card data.

Even Anthem’s spokesperson said encryption would have done nothing to stop their data breach because the hacker came in through a privileged user account. Some security vendors have responded that encryption can be tuned to limit the amount of records that can be retrieved — but such limits are not imposed by encryption, they are imposed by access rights.

This is not to say that encryption doesn’t help. Data protection is an important component of a layered security strategy that includes;

a) Protecting data at rest

b) Protecting data in transit

c) Changing your environment – either logically or physically – as often as possible (using deception or deflection techniques)

d) context aware behavioral analytics

To simply call out that the Anthem breach could have been stopped by requiring encrypting data at rest is a knee jerk reaction that regulators and legislators are bound to latch on to. No doubt, congressional hearings and healthcare/insurance regulators will now spend countless hours devising and implementing laws that require healthcare data custodians to encrypt their data – which will only help defend against yesterday’s attacks.

We’ve learned that;

a) Criminals know how to access encrypted data BEFORE it is encrypted – which it always is at some point.

b) Criminals’ preferred modus operandi is to hijack existing privileged user accounts (which have access to otherwise protected or encrypted data) to gain access to the information they want. (This is what Anthem says happened in their breach).

c) If there are controls in an application e.g. metering data access, criminals will quickly learn what those controls are and get around them, for example by slowing down an attack and mimicking authorized human users. (See recent blog “Where have all our passwords gone” describing how the criminals have done this with increasingly-harder-to-detect automated attacks).

Instead of regulating and legislating around yesterday’s attacks, wouldn’t it be refreshing if we learned from the past mistakes of the PCI-governed retail sector? What we learned with Retail and credit card heists is that a layered security approach is always required because you can be sure the criminals can penetrate one or two layers, but penetrating three or four or five layers makes their jobs that much harder and time consuming.

More importantly, the retail and credit card industry learned that sensitive data should be useless if criminals manage to steal it. Even Visa and MasterCard have been touting this lesson for years.

Translate that over to healthcare and other sectors that handle sensitive customer data – What’s required in part is surrogate values (ala tokens) for social security numbers so the SSN numbers themselves are not required to uniquely identify a person or patient for all the myriad purposes that healthcare insurers and government healthcare programs like Medicare use them for.

To protect credit card numbers, Visa and MasterCard finally came up with a really good and cost-effective tokenization standard for credit cards that ApplePay is the first to use. The EMV token standard does a great job of protecting consumer credit cards from theft and reuse (though merchant requirements need more attention. See Gartner research note “Avoiding Pitfalls with Payment Security Technologies”). Why can’t the government skip ahead a few years and do the same for social security numbers?

Instead, I think all we have to look forward to is many more years of breaches against health care companies and other custodians of sensitive personal data. This will be followed by knee jerk regulatory reactions — one at a time — that put in place a series of patchwork security solutions which cost companies billions of dollars to comply with but which do very little to keep determined bad guys out.

Progressive companies realize that compliance doesn’t buy them security and will seek to implement progressive solutions – which typically are not the ones regulators enforce.

2 Comments »

Category: Uncategorized     Tags:

Where have all our Passwords Gone?

by Avivah Litan  |  January 22, 2015  |  11 Comments

“Young hackers have picked them everyone.
Oh, when will they ever learn?
Oh, when will they ever learn?”

Not sure you remember this classic Peter Paul and Mary song but it is certainly appropros for the moment.

Last August, the New York Times reported that a Russian crime ring had amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses. The confidential data was discovered by Hold Security, and most market observers shrugged off this discovery, questioning Hold’s motives rather than confronting the gravity of this finding.

This wasn’t the only time we learned of hacked credentials and personal data. There have been numerous reports of them over the past year, as hackers broke into many household ecommerce brands and made off with this loot.

We’d be naïve to think that the hackers are just sitting on this data and not using it. In fact they are very aggressively. Over the past couple of months, Gartner clients have been telling us about the significant rise in automated attacks, whereby hackers use bot armies to run through user credentials at various consumer service websites, knowing that a few percent of them will probably work. According to a Gartner survey several years ago, we learned that over two thirds of consumers reuse their passwords across sites whenever they can.

This automated criminal cycling through user ids (generally email addresses) and passwords at various websites, such as online banking or credit card portals, is nothing new. We’ve heard about this from our clients for at least three years now. But these massive automated account takeover attacks have gotten much more sophisticated and escalated substantially according to our clients, with big pickups in such traffic just over the past 60 days, both during and after the holiday season.

Lots of good stuff goes on limited sales for the holidays, and lots of stored value in the form of gift cards and other loyalty programs is available, courtesy of family and friends who give these as holiday gifts. In fact, fraud detection vendor NuData Security has seen such scripted attacks against their large online customers double in just the past couple of months.

So what kind of online accounts are the hackers taking over with their newly acquired credentials and stolen data? Anything and everything that has monetary or resale value – usually via resale on popular auction sites – including;

a) Credit card or other bank account information stored in digital wallets at online retailers used to make checkouts much faster (so you don’t have to reenter all of it)

b) Digital currencies used for online games that they steal or purchase anew with stolen credit cards

c) Digital content such as electronic images

d) Travel awards, such as frequent flyer miles or hotel loyalty points (See Brian Krebs’ blogs on this at krebsonsecurity.com)

e) Limited editions of high-fashion goods like purses, sneakers, concert tickets where fraudsters or other types of scalpers buy them up in seconds or minutes usually with stolen credit cards, depriving legitimate shoppers of these nice deals. Instead consumers now have to buy these hot items at up to 450% markups on auction sites.

f) Stored value accounts at major brands representing favorite food and drink establishments or retailers.

These massive account takeover or account creation attacks (hackers often have to create new accounts to get their jobs done or launder the stolen goods through) are undetected by conventional fraud detection techniques that the hackers have learned to avert. Using large bot armies, they often throttle down the speed of their attacks while decentralizing the originating endpoints attacking the site so that they remain under the radar of their victims.

For example, they will have one endpoint across thousands in the bot army try one account credential once or twice in one hour and this will be repeated by different unique bot endpoints over the course of days or weeks. In this way, traditional fraud detection measures such as device fingerprinting or velocity checks will fail to detect the attacks. In other cases, the criminals are going through affiliate networks using popular cloud based infrastructure services so that the originating IP addresses are indeed legitimate and won’t be suspected or blocked.

In one attack just this month, the bad guys spread their bot army across 68 countries and almost 1000 IP addresses. In another instance also this month, the bot army attempted 5000 logins a day through an affiliate network.

In summary here are some of the most notable trends in automated attacks:

1. Use of widely distributed scripted attacks that emulate full device characteristics, i.e. a full web session with a modern browser, making it harder to detect using traditional device identification techniques.

2. Circumvention of velocity checking by spreading account attacks over many IP addresses and accounts. The average online retail attack will only use an IP address 2.25 times now before moving on to the next IP address. Likewise with accounts, a single account is rarely used for more than two purchases.

3. Matching IP address geos to billing address geos on credit card purchases, eluding common fraud detection techniques.

4. Rising use of cloud hosted solutions to launch account takeover attacks in order to evade IP address checks used to detect fraud

5. Account takeover is growing as the preferred method for taking over payment instruments, as opposed to credit card cycling for fraudulent purchases. This trend will no doubt continue as more ecommerce players offer consumers digital wallets for storing their payment instruments, making it easier and faster to check out.

What are the solutions?

Thankfully there are solutions on the market that can stop most of the automated attack activity we see today. Captchas, the traditional solution used for stopping automated attacks, aren’t effective anymore. Readily accessible Captcha bypass services will solve as many as 1000 captchas for $1.39 with 90% accuracy.

Two complementary approaches have proven effective with our clients.

1. Detection using a cloud-based fraud detection service that combines the first three layers of Gartner’s five layer fraud detection framework – endpoint centric, navigation centric and user/account centric — with metadata on devices and IP addresses across millions or billions of transactions at various websites (the more data points the better). NuData Security is a vendor that successfully does this. See our April 2014 “Market Guide for Online Fraud Detection” that discusses other fraud detection software and services.

2. Deflection, which involves a relatively new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code). Shape Security is a vendor that successfully does this.

Conclusion

Until websites and service providers engage in these more advanced fraud detection services, as consumers we would be better served by changing our passwords as frequently as practically possible. We just can’t count on most of our service providers using anything more than simple passwords to secure our data and accounts. If we reuse our passwords across sites, the chances of one of our account credentials getting stolen is probably around 50%, and the chances of one of our accounts getting hacked, in my estimation, is probably around 5-10%.

Password compromise is the most common way bad guys get into our accounts – whether they are Twitter, bank, credit card, frequent flyer, gaming or other ecommerce accounts. Unlike the situation with banks, there is no legal recourse or money/service back guarantee from other non-regulated providers. I’m not sure my preferred airline will give me back the hundreds of thousands of frequent flyer points I so painfully earned…

It’s amazing that most service providers still rely on password security, after all these years and after all these breaches. “When will they ever learn, when will they ever learn?”

11 Comments »

Category: Uncategorized     Tags:

The Hidden problems with Payment Card Security Technologies and PCI

by Avivah Litan  |  January 13, 2015  |  Comments Off

Ever since the high profile payment card data breaches, we have been getting lots of client inquiries around payment card security technologies — point-to-point encryption, tokenization and EMV. The first two technologies are being widely adopted by many U.S. companies, especially since nothing else seems to be working at keeping the bad guys out.

For example, Stage retail stores just announced adoption of Ingenico’s Point to Point encryption (P2PE) solution for its 900 stores. (See Ingenico press release from January 11, 2015). Other technology providers like Voltage and Verifone have had similar success in selling large P2PE solution sets. For example Voltage sold P2PE to Home Depot, although it was installed too late to stop the infamous breach.

Ingenico, like other card reader vendors who support P2PE solutions, also supports EMV. Stage’s announcement reflects a trend Gartner sees amongst its client base – that is merchants have to upgrade their POS equipment to support EMV in the future because of the October 2015 liability shift –so while they are it they choose card reader equipment that can support both EMV and P2PE. Not surprisingly, they turn on P2PE first. (See our research “Visa’s Long-Overdue U.S. EMV Move Will Improve Security, but Do Little to Alleviate PCI Compliance Work” for more information” for more information on the EMV liability shift).

P2PE can usually be turned on within 3 months if the solution uses remote key injection and management. Physically injecting keys into each card reader in a ‘safe room’ under its own ‘lock and key’ obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers Gartner speaks with say they will turn on EMV acceptance “later”. They rightfully view EMV as mainly helping the card brands and issuers although when EMV becomes ubiquitous it will help everyone. For now, most merchants and payment card acceptors are not motivated by the October 2015 liability shift since according to U.S. retailers, as of October 2014 less than one percent of U.S. payment cards have chips in them even though some 20% of merchant terminals can already accept them.

But merchants and payment acceptors don’t have many PCI certified P2PE solutions to choose from. In fact they only have six in total (see PCI website). In our just published research note “Avoid Pitfalls with Payment Card Security Technologies and PCI” we point out the various pitfalls that accompany P2PE solutions, tokenization and EMV.

In Summary:

• Many P2PE solutions that encrypt data on card swipe are not yet PCI-certified, leaving payment acceptors questioning their adoption.

• Criminals have taken advantage of poor implementations of EMV chip payment applications, committing extensive fraud that defeats EMV controls for everyone in the payment card ecosystem.

• EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations.

Our research note delves into these obscure issues and after collaborating extensively with various industry participants, we recommend measures that merchants and other payment card acceptors can use to address them. We also warn our clients to beware of ‘one off deals’ that payment processors are offering merchants with regards to limited PCI audits in exchange for signing up for their non-PCI certified P2PE solutions. There’s probably no easier way to get your company locked into a payment processor, should you accept such a ‘deal.’ It is incumbent on the PCI Security Council to accelerate the P2PE solution certification process so that innovation can bloom. This will give everyone the freedom to choose the best possible solutions around.

Comments Off

Category: Uncategorized     Tags:

Who is the Government of North Korea?

by Avivah Litan  |  December 19, 2014  |  3 Comments

There is so much talk and skepticism about the perpetrators of the Sony attack – are they representing the North Korean government or are they a small band of crazy hackers?

The discussion makes me recall a dinner I had about a year ago with a respectable Chinese Factory owner when I asked him if reports about Chinese government espionage on U.S. corporations were truthful.

His response was telling – how does one differentiate between the Chinese government and everyone else? Basically the government and other sectors blend together in China – many companies and individuals are branches/arms/agents of the Chinese government. I imagine the same exact concept holds true in North Korea where pretty much every company and entity is state owned or state controlled, including the one ISP that the country has.

3 Comments »

Category: Uncategorized     Tags:

Where does North Korea get its cyber-hacking skills from?

by Avivah Litan  |  December 5, 2014  |  1 Comment

Many months before the alleged North Korean attack on Sony Pictures took place, a widely known fact in intel circles is that the Chinese and Russians are training North Koreans how to hack. Apparently, North Koreans are holed up inside a cement building inside China, learning these hacking skills, and after they are trained, these newly minted hackers are used by their Chinese and Russian comrades to conduct cyber-attacks against the U.S. The North Koreans need to relocate to China to conduct these cyber-attacks since there is little Internet connectivity out of North Korea.

I recently learned, though am unable to confirm, that the North Koreans, backed by their Chinese and Russian support groups, cyber-attacked U.S. and South Korean ships engaged in a military exercise off the coast of South Korea by manipulating their GPS systems so that their navigation was messed up.

Apparently, you only need to change a few GPS coordinates in a very small way to throw battleships off course.

Whatever the case may be, I’ve heard about the Chinese and Russian cyber-hack support for North Koreans from enough credible folks to believe this is true. When I first heard it my mouth kind of dropped. But now, it all makes sense to me.

Informed observers tell me the Sony Hack is just a show of macho – but much more serious incidents have and will likely continue to take place. In response, I hear a lot more about offensive cyber-attacks from the good guys gearing up, supported by government intelligence units or former government intelligence cyber-agents. Sounds like a good and necessary plan to me.

1 Comment »

Category: Uncategorized     Tags:

Retailers Brace for the Holiday Breach Season

by Avivah Litan  |  November 19, 2014  |  1 Comment

Holiday shopping season is upon us and is the busiest season of the year for hackers and shoppers alike. 2014 will be no exception and we should brace ourselves for more high profile cyber-attacks although this time, they are likely to gain much less public attention. Consumers have rightfully learned that they suffer little harm from payment card hacks.

So who does suffer?

Home Depot and Target, two big box retailers that suffered two of the largest card breaches ever, just released rosy third quarter financial results proving consumers value attractively priced merchandise more than they do payment card security. Sales were up at Target by 2.8%. Home Depot’s U.S. same-store sales rose 5.8 %, and both breaches seemed to have had negligible impact on consumers. This is a replay of what happened after the massive 2006 card data breach at TJX stores, first disclosed in January 2007. TJX reported an increase in revenue of approximately 7% for the six months ending 28 July 2007, compared with the same period in 2006.

This is a totally rational reaction for consumers, who are well protected under U.S. law and the rules of the credit card companies from unauthorized use of their credit and debit cards. They almost always get all of their stolen money back.

Moreover, I believe that there is relatively very little fraud committed using cards stolen during these massive breaches. I imagine the crooks are only able to make illicit charges against less than 5% of the stolen cards because the credit card companies are well prepared to cut off stolen card use once they become aware of which cards were compromised. This happens relatively quickly once the breach is discovered. (This isn’t the case with theft of other types of data, such as identity or tax or health records).

I estimate that the Home Depot and Target heists resulted in less than $10 million of direct fraud costs although total breach costs incurred by these companies were significantly higher. Target spent about $153 million on breach related expenses and Home Depot so far shelled out a net $34 million in 2014 for its breach. These much higher costs include the money the breached retailers have to pay for customer service, communications, lawyers, and reimbursements to card issuers for card reissuances.

Who pays the most for these breaches?

Clearly the retailers. They already pay in advance for fraud costs as part of their payment card interchange fees. U.S. retailers have also shelled out some $6 billion to secure their payment acceptance systems (sometimes not so successfully) in accordance with PCI (Payment Card Industry) rules they are bound by. They also pay hefty fines and fees if and when they are breached. Although consumer sales do not suffer – the costs of data breaches are still much higher than the costs of securing data in the first place.

What measures should retailers take?

Gartner recommends retailers use strategic data protection technologies which are garnering tremendous interest among our retailer clients, including;

a) point to point encryption (p2pe) which encrypts card data from the time it is presented until it gets decrypted by a merchant acquiring processor or some other central service designated by the retailer. Not all p2pe solutions and implementations are created equal and it’s not a slam dunk security win unless it’s implemented properly.

b) Tokenization of card data so that it is represented by surrogate values that are useless to thieves. Again tokenization is not a panacea and must be implemented properly – and as soon as card data is presented, so as to avoid holes in the security program. (One of the retailers recently breached had in fact implemented tokenization but the breach happened before the data was tokenized). Also merchants need to be aware that merchant based tokenization schemes collide with Visa and MasterCard tokenization schemes as implemented first by Apple Pay. (http://blogs.gartner.com/avivah-litan/2014/11/07/token-collision-and-point-to-point-encryption-confusion-ala-applepay/ ) Merchants therefore need to make sure their token service providers can retrieve a credit card number from an Apple Pay Token so that the merchant can then use their own tokenization system to tokenize the card number. Otherwise merchants can end up with multiple token numbers for one card.

Until and unless these strategic data protection measures can be taken, Gartner also recommends retailers focus on key tactical measures including

a) Prevent malware and hackers from entering enterprise networks in the first place

For example, keep POS systems single-purpose, and segment the card holder data environment from the rest of the network.

b) Prevent malware installation and operation, assuming the malware manages to get inside the network

Such steps include restricting outbound connections from POS and back office systems, keeping auto-login passwords unique on each POS machine, and using whitelisting techniques on POS endpoints.

c) Rapid detection of active malware, assuming preventative steps fail.

For example, monitor network logs, especially from file integrity monitoring systems, implement processes for physical and logical detection of USB drives often used to introduce malware and exfiltrate data, and sample store system memory for signs of malware.

We outline a more complete list of the measures involved in these three tactical steps in our research note “How to Avoid Becoming the Next Target Retail Breach Victim”. But these tasks can be overwhelming in number and ongoing hyper-vigilance is required to ensure the security controls are maintained. In many cases, this will be too much for most retailers to take on.

To breathe more easily, we recommend moving towards point to point encryption and tokenization technologies, while recognizing those measures are no panacea either and most assuredly will be compromised if improperly implemented. We are already hearing reports about poor implementations in the field.

But focusing on a couple strategic technologies is far easier and more effective then juggling dozens of point solutions whose plethora of alerts is bound to blind even the sharpest shooters amongst us.

The other alternative? Use cash.

1 Comment »

Category: Uncategorized     Tags:

Token Collision and Point to Point Encryption Confusion ala ApplePay

by Avivah Litan  |  November 7, 2014  |  1 Comment

With all the excitement about ApplePay, big systemic problems are starting to surface on the retailer side. Here they are:

a) Point to Point encryption confusion – Some vendors who certified their payment card applications for point to point encryption left out certification of the contactless payments since there was very little volume in the past and they just didn’t get around to it.

What this means is that any contactless payment presented to their NFC readers is ignored by the point to point encryption process and the transactions go into their own ‘suspense’ bucket. Retailers need to be aware of this and work with service providers to implement a compensating payment process flow accordingly.

b) Token collision – ApplePay uses a tokenization scheme supported by Visa and MasterCard which have not released the numbering scheme they use. (Essentially their tokens are pseudo card numbers with pseudo BINs (bank issuing numbers) at the front so they know which card issuer process to route the data to when it comes into their network).

But this system collides with the merchant or acquirer based tokenization systems the merchants have spent so much money on over the past years in order to secure card data and limit the scope of their PCI audits.

Here’s why the tokenization systems collide: An ApplePay token will be presented to a merchant tokenization system. The merchant tokenization system will simply tokenize the Apple Token and store that tokenized token in their system for future use since there is no way for the system to distinguish it’s an Apple token and not a credit/debit card.

What are the consequences?

a) Merchants could end up with two tokens for one card number

b) But more importantly, merchants now have an ApplePay token and no process to get back to the card number. They have no interfaces with the ApplePay token/detokenization system. The whole reason merchants tokenize card data is because they need to get back to the card number at some future point, usually for chargeback and dispute purposes or for recurring billing.

What’s the solution? Big token mapping tables in the sky? Seriously. And Messy. Someone– likely the acquiring processor or even the card brands — is going to have to provide merchants with a table that maps their token numbers to the card issuers’ token numbers (first brought to market by ApplePay). This doesn’t bode well for on premise solutions unless they can be tied directly somehow into these monstrous mapping tables.

More Security Problems: One other piece of interesting information I came across with regards to ApplePay is that the one time code numbers that are part of the security scheme are not being accepted or read by terminals and their payment acceptance protocols. At least not yet and not universally. This means that if an ApplePay token is stolen from a merchant, it can be used at another merchant accepting ApplePay, assuming the consumer doesn’t have to use their TouchID biometric to confirm the payment instruction and a hacker somehow steals the consumer’s password. ApplePay token numbers are the same across merchants since they are issuer based.

Retailer Vs. Card Networks – Interests Continue to Collide: What all this says to me is that retailer interests and card issuer interests continue to collide. It would have been nice if all this had been thought through at the beginning of PCI planning and rollouts and if tokenization standards were developed and implemented years ago so that we didn’t have to face this collision going forward. It’s only going to get more confusing and messy in the years to come before it straightens out.

1 Comment »

Category: Uncategorized     Tags:

Apple Pay vs. CurrentC; will Merchants lose out again to Visa and MasterCard?

by Avivah Litan  |  November 3, 2014  |  1 Comment

The recent ruckus in the media about Wal-Mart, CVS and RiteAid and other national retailers refusing ApplePay has created bad PR for the fragmented retail sector. News commentators have been ranting on about how these merchants need to give consumers free choice and turn back on ApplePay acceptance.

These comments reflect the great job Visa and MasterCard have done winning consumers over with superior service and payment protections (i.e. zero liability) and the outstanding job Apple does creating sleek and seamless user interfaces.

In stark contrast, the commentaries also show the horrendous job big box retailers who are part of MCX (Merchants Customer Exchange) – e.g. Wal-Mart, Target and CVS – have done telling their side of the story and producing an alternative mobile payment system after more than three long years since they announced one.

The market doesn’t realize that all these solid payment protections and frequent flyer points that we have come to love from using our credit cards come at a great cost to the retailers who bear the financial burden for these programs. In other words, the retailers are paying for our protections, zero liability programs, and our frequent flyer points as part of the interchange fees they pay to the card companies. The average consumer and journalist is unaware of this important point.

The burden of securing an inherently insecure magnetic stripe card instrument has also fallen largely on the retailers, and they have had to become security specialists in order to compensate for a painfully insecure payment system that they are basically forced to participate in. (Which retailer can afford to NOT accept credit or debit cards and still run a big business)?

Unfortunately for the retailers they are probably going to lose again. They have had more than three years to produce an alternative mobile payment system – now called CurrentC- but have failed to leverage the new form factor (mobile phones) that could level the playing field and let them finally take on the card companies.

MCX memberships have about a four year term, and many of their member retailer contracts are coming up for renewal soon. It will be interesting to see if the MCX members hang in there or abandon ship and give up the fight against the credit card companies – now indirectly spearheaded by ApplePay. Even if they do stay in the fight, MCX ‘s ability to produce a sleek system that is as easy to use as ApplePay is virtually impossible, especially if they continue to base their system on QR codes, and shut off NFC so that ApplePay can never work at their stores.

There is no way the merchants can distinguish ApplePayments coming through their NFC enabled terminals, since Visa and MasterCard are not releasing the numbering scheme these payments use. This means they cannot be rejected through software filters. This also means they have to reject or not accept ALL NFC payments – so they can never use this form factor for CurrentC and at the same time reject Apple Pay.

In the meantime, the big Visa and MasterCard machines continue to profit while retailers continue to pay high fees for credit/debit card acceptance – or generally 1-3% of every transaction. (These fees can go up to 7% or more for smaller merchants with less credit worthiness).

Rates have not gone down despite the important fact that volume continues to grow – so much so that Visa and MasterCard had record earnings causing their stocks to soar around 10% last week. Each of these card brands have seen their stock price rise handsomely beat the S &P 500 rise in the last few years. Likewise card issuers announced record profits this year, and the biggest rise seen since 2008. (see http://blogs.gartner.com/avivah-litan/2014/10/14/2014-the-year-of-the-worst-data-breaches-and-highest-profits-at-u-s-credit-card-issuers/).

Moreover, countless lawsuits, typically led by WalMart against the card companies for usurious business practices have also largely failed – even when a battle or two is won, the retailers continue to lose the war.

Too bad. I think competition is good for the market and would like to see alternatives win out so that prices can come down and overall security can increase. It would have been nice if Apple had announced a Bitcoin or PayPal interface, for example, but they didn’t – at least not yet. The retailers need to hire a startup with the innovation, flexibility, speed and technological prowess that they lack. Otherwise, CurrentC will end up being toast and consumers won’t even get a toaster back in return.

1 Comment »

Category: Uncategorized     Tags:

Can Credit Report Monitoring become more useful?

by Avivah Litan  |  November 3, 2014  |  Comments Off

For years companies whose troves of credit cards have been data breached have been offering potential fraud victims’ credit report monitoring as relief. I always cringe when I hear about this because I view this largely as a PR move on behalf of the breached entity that does virtually nothing to protect a cardholder from unauthorized use of their stolen credit or debit cards. Plus it costs the breached company lots of money it could more wisely spend elsewhere, and puts it in the pockets of the big credit bureaus and data aggregators who are happy to capitalize on this distortion in public perception.

Still this offering looks good in the media, earns the breached company brownie points, and consoles congressional representatives who have never taken the time to understand the difference between credit report monitoring and credit card monitoring.

Nonetheless, free credit report monitoring for potential breach victims has been a standard offering following credit and debit card data breaches. Unfortunately, the entities benefiting the most from this are not the potential consumer victims but rather are the companies selling credit report monitoring to breached entities who in turn offer it for free to potential victims whose data has been compromised.

Consumers are basically smart and surely have come to realize the credit report monitoring does nothing to protect them from use of their stolen cards. Moreover they can get their credit reports for free from the government website three times a year (see www.annualcreditreport.com). A consumer survey Gartner conducted three years ago found that of the roughly 45% who had credit report monitoring at the time or in the past, only about 8% were currently paying for it. Another 10% had previously paid for it but discontinued their subscription. The rest got it for free from a breached company who offered it as part of breach follow up and compensation. More paying customers were dropping the service than were signing up. I have to believe that is still the case.

The credit bureaus must be finally seeing that they can’t expand their theft protection services without making them more meaningful so that they truly do protect breached victims whose cards have been stolen. So it is reassuring to see one of the three main credit bureaus partner with a startup (BillGuard) which analyzes consumers’ card statements for anomalous charges that consumers likely wouldn’t otherwise spot – either because they don’t take the time to comb through their statements or because they look legitimate (e.g. a charge under $5 for a seemingly legitimate telco service). It’s reassuring to see that market demand drives innovation and that in this case, consumers can finally get what they need and deserve.

Comments Off

Category: Uncategorized     Tags:

2014: The year of the worst data breaches and highest profits at U.S. credit card issuers

by Avivah Litan  |  October 14, 2014  |  2 Comments

It looks like the credit card companies keep winning and the retailers keep losing when it comes to making money on credit cards.

R.K. Hammer, a consulting firm in Thousand Oaks, Calif., estimates that U.S. card issuers will generate $158.6 billion in 2014 revenue, a 9% jump over the $146 billion they earned in 2013. It would be the first annual gain since 2008, according to the firm.

This in a year of record data breaches, including breaches at mega-retailers Target and Home Depot – over 100 million card records breached just across these two retailers.

So what does this tell us? That the data breaches certainly aren’t hurting the card companies. They have done a super job at managing fraud, customer retention and risk mitigation for themselves and their cardholders.

I’d like to see the commensurate numbers for the breached retailers who have taken the hits and paid the fines that contributed to the card issuers’ bottom line profit numbers.

All told data breaches can’t be good for the economy, but on the surface, they haven’t been bad for the banks that issue the cards. I guess the economic equation totally depends on which side of the payment chain you sit on. We already saw the data breach damage Target’s bottom line. I’ve got to assume that’s the same for every major retailer who has been breached this year. All things being equal, these breaches have got to keep retail prices higher than they would be otherwise. But at least we still get our loyalty points and frequent flyer miles on our credit cards. I certainly can’t complain.

2 Comments »

Category: Uncategorized     Tags: