So where is the PCI Security Council? And why aren’t they getting ahead of the rush to mobile payments and mobile payment acceptance?

I know where at least one of their founders, Visa is. Investing and backing Square, one of the more innovative payment card acceptor applications out there that is allegedly growing by leaps and bounds, even in the absence of a PCI standard for mobile payment acceptance.

Walk into any Apple store around the world and you will see the sales people there also ‘ignoring’ PCI standards by accepting payments on non-PCI certified mobile payment devices.

I realize it’s tough to develop standards for the non-standard mobile environment, but no one said the PCI Council should have it all easy. It just makes me wonder what the purpose of the council and the PCI standard itself is from the viewpoint of the card companies. If anyone has any ideas, please let me know.

http://blogs.wsj.com/wsjam/2012/01/24/scotus-says-no-to-gps-tracking-without-a-warrant/?mod=google_news_blog

The Supreme Court ruled that the police violated the 4th amendment (protection against unreasonable searches and seizures) when police used GPS tracking on a narcotics-operative’s vehicle (planted there without his knowledge) to convict the man. His conviction was overturned because there was no valid warrant for the tracker.

It seems that the Court will ‘figure out later’ if traffic surveillance/cameras similarly violate the 4th amendment. For now, they appear to have put that off and are focusing on the violation to purposeful individual tracking.

I’m sure this means something to context aware and rich interactive mobile computing – e.g. there could be ramifications later in terms of privacy violations, even if the tracking is not driven by the desire/need to track one individual but if an individual’s movements are tracked as part of crowd surveillance.

Here’s a provocative excerpt from the WSJ article on this subject:

“With such rapidly advancing technology, the Scalia approach left open “particularly vexing problems,” Justice Alito wrote, particularly when police don’t have to physically touch a vehicle to conduct surveillance. He mentioned automatic toll-collection systems and smart-phones that continuously track their own location as examples.”

My Gartner colleagues are correct in pointing out that legally, this decision only impacts law enforcement searches and investigations and has no bearing on the private sector.

But I can’t help but think that the lines are blurred between what the cops can do and what private industry and advertisers can do, at least in end-user and consumer minds.

It would make it a whole lot easier if private sector service providers enabled consumers to ‘opt-in’ to location and – similarly – device tracking. That would certainly avoid a lot of unnecessary busy work as vendors and service providers work around ‘tagging’ customer endpoints.

For example, with iOS 5, Apple is discontinuing enabling Apple iPhone tracking through their hardware ID, the UDID and now all these workarounds are being developed and implemented, even presumably by Apple (for iTunes) itself. The discontinuance of enabling UDID tracking was reportedly, Apple’s response to accusations of privacy intrusive practices.

User opt-in (or specific granting of permissions to be tracked) is the way to go and should be a standard across applications. Of course, when it comes to preventing fraudulent and ‘bad’ activities, service providers like banks can do pretty much anything they need to do to protect customer accounts and bank assets. (The fraud teams have a lot more customer data than the marketing teams as a result).

We can’t expect criminals to ‘opt-in’ to being tracked. So essentially, universal policies of opt-in will give companies a white list of presumably ‘good’ end users (some fraudsters will opt in to trick applications), and who ever doesn’t opt in will still get tracked, but only for security and fraud prevention purposes. And that definition – i.e. ‘security and fraud purposes’ — will certainly be open to interpretation as it is now.

In any event, my takeaway from all this is that transparency of tracking is a good thing for good people. Ask them if they want to be tracked and they will likely say OK, according to a recent Gartner survey. And let the courts figure out what’s OK for the bad guys. For now, it looks like their privacy needs to be respected too.

This will make it much easier for hackers to phish or spoof consumers (and thereby deliver malware to endpoints and/or collect sensitive information) because:

a. They can make use of unlimited choices to spoof known brands – meaning consumers will have a much harder time knowing what’s real and what isn’t

b. It will be exponentially that much harder to detect the spoof site using customer feedback mechanisms, and that much harder to take them down since they won’t be identified as quickly

c. Brand protection will be much costlier because there is exponentially more to monitor.

All is not lost however to the hackers. There are a series of measures enterprises worried about their brands being phished can take by adopting a layered security approach that includes:

1. anti-phishing services that detect and take down phishing attacks

2. email-certification and blocking services

3. Phishing site linkage detection and browser protection

While it will cost enterprises precious resources to adopt these services, it’s time for them to start looking outside their firewalls in order to protect their assets and users. The ICANN decision adds a sense of urgency to the matter.

I’m excited that PayPal is finally making a meaningful entrance into physical POS payments. The card brands have overly dominated this space for far too long. There certainly has been no shortage of challenges to Visa and MasterCard’s empires such as:

a) the watered-down (by the financial lobby) Durbin amendment to Dodd Frank Wall Street financial reform act that lowered debit interchange fees banks can charge merchants, but not by nearly as much as merchants originally hoped for.

b) countless class action lawsuits against the card brands, led by retailers such as Wal-Mart, who claimed unfair trade practices and merchants fees that were unjustifiably high. In 2003, Wal-Mart did manage to win back $3 billion from Visa and MasterCard for itself and its class, but increased merchant fees were levied by the card networks where and when they could, and quickly ate up the merchant settlement gains.

c) legal challenges to Visa’s and MasterCard’s seemingly unfair dominance and apparent ‘monopoly’ status that never went anywhere with the U.S. Dept of Justice Antitrust division.

The real challenge to the card brands will come from viable alternative payment networks. PayPal has the best chance at this point, even though it’s somewhat of an indirect challenge since it relies both on the payment card and bank-to-bank transfer networks for its livelihood.

With well over 100 million account holders (some estimates are much higher), PayPal has importantly won trust among consumers. A recent Gartner survey of over 3000 U.S. consumers found that PayPal is perceived to be safer than the card brands, Visa and MasterCard, although by a relatively narrow margin. PayPal’s trust lead over other large alternative ‘wallet’ providers such as Apple, Google and FaceBook is much larger. In the case of FaceBook in particular, PayPal commands a substantial lead when it comes to consumer perceptions of safety and security.

This Home Depot trial, along with other mobile payment trials announced by Google, MasterCard, Citibank and some telco carriers marks the beginning of intense competition that will benefit consumers in terms of more personalized choices and eventually lower prices. After all, consumer ‘wallet share’ is increasingly coveted by the big card brands, banks, telcos, retailers and anyone else asking for your money. The race to grab a piece gets much more interesting and innovative as mobile payments – PayPal or otherwise – and platforms roll out.

This was the real reason ‘tuning’ was needed and the systems did not work well out of the box, because the guys or gals hadn’t yet ‘tweaked the models for the organization’ meaning they hadn’t yet mined the company’s data and written the rules accordingly. This becomes especially problematic when the company doesn’t have any confirmed fraud. The irony in these situations is that you can’t prevent fraud until you experience enough of it!

It was also the main reason the models ‘degrade over time.’ The rules stop working once the bad guys catch on to them, so the cycle of data mining and rule creation by the guys and gals behind the curtain must start once again, sometimes costing the customers tens of thousands of dollars if not more.

I continue to learn that this is pretty much the way many of these ‘predictive models’ work. Most of them are essentially just rules.

The only time models can run ‘out of the box’ is when the customer’s situation is akin to their peers and the model is built on consortium data where the confirmed fraud of others’ experiences can help pinpoint fraud for each participant of the consortium. In most cases, vendors that base their models on consortium data use predictive modeling and scoring techniques, e.g. based on neural or bayesian networks, more often than the vendors who don’t. But consortium models have had their limits because many companies don’t want to share their fraud data with anyone – not the authorities, not their competitors and not the vendors.

Further, self-learning models aren’t a reality in fraud management, at least from what I have seen. The vendors have to run their own analyses to find the outliers – or the transactions not evaluated by the model – and then figure out what they have in common so they can manually adjust the model to take them into account.

In any event, the next time a vendor’s model seems like a black box, it probably means there are a few geeks behind the curtain mining your data and building rules. If nothing else, they should make it clear that after a set period, those rules will become ineffective so you will have to invite them back — and pay them a considerable amount of money — unless you’ve learned to write your own rules and ‘models.’

Something here doesn’t add up. The chain says employee and customer bank accounts were compromised but employees generally don’t swipe their cards at the POS systems. So I for one, would like to understand the connection to employee accounts. There must be more than just card reader tampering going on here.

But if you take the employee piece out of the picture (and I don’t say we should) then this looks like yet another sophisticated POS card reader fraud attack.

The bad guys are very organized. They have the ring leaders that target the POS systems used at the store chain. They must have known which type of POS equipment Savemart uses and designed an attack specifically against their systems.

The ring leader(s) hire ‘flackies’ to insert skimmers in the equipment or to replace the equipment Savemart has have installed altogether. (Most likely it’s the former option although the latter option is more common in South America). They then hire the counterfeit specialists that turn the stolen data into counterfeit cards (with PIN numbers, if they have them) taped on to the counterfeit cards. And finally they hire the ‘cash out’ flunkies to use the cards at ATM machines or other POS systems to turn the stolen cards into stolen cash or easily fence-able goods (like TVs, tablets or other electronic goods).

Then they hire people to collect the cash or to fence the goods before the cash is collected.

They generally use the cards VERY QUICKLY at ATM machines around the country and sometimes in other countries, simultaneously withdrawing small amounts at dozens of machines against dozens of accounts, typically within 10-30 minutes. Then they wait an hour and do it again. This way they can evade many of the fraud detection systems.

I blogged about this months ago – I call this the Flash Attacks. Of course Savemart is only reporting on their piece and the banks generally don’t disclose their side of things so we can’t be sure if Flash Attacks resulted from this hack.

Also the part disclosed on employee account takeover is still troublesome. I’d like to know more about that. As noted, employees typically don’t swipe their own cards at the cash registers.

http://blogs.computerworld.com/19233/apple_quietly_begins_iphone_as_wallet_in_store_trials?source=CTWNLE_nlt_blogs_2011-11-08

It may be a slow start – and a long leap to go from barcode scanning at Apple stores to NFC payments anywhere accepted – but it’s a start for leveraging iTunes wallet/card information for payments in the physical world.

Recent Gartner consumer survey data shows Apple has a clear leg up on Google when it comes to being their trusted mobile wallet provider but PayPal in this role is still the most trusted, although not by a very wide margin.

There should be plenty of room for multiple mobile wallet providers which is a good thing because I imagine there will be plenty of innovation brewing in this area, fostered in large part by the healthy competition.

Essentially, most of the vendors are proposing to use pattern based intelligence based on entity link analysis to find anomalous trades and aberrant trader activity. To do that, they need to baseline and profile trader, desk and counterparty activities. No small task and one that frankly I don’t believe can be successfully done. There is no baseline profile for a good trader, where success requires innovative trades based on volatile, dynamic, and unpredictable market movements that we have come to see all too frequently. Plus, enormous amounts of information and data needs to be culled, sifted and analyzed, and only a highly experienced trader would have a clue of what to look for, assuming the vast data sets were integrated and “minable”.

Instead, good old fashion controls seem to be in order here. And some standardization used across financial institutions would certainly help.

My limited understanding is that there are essentially two types of trades that need to be monitored – OTC (over the counter) that are executed with counterparties and listed trades thare are executed on internal accounts. With listed trades, the control desks need to confirm that there are assets or securities in the accounts reflecting those trades (a control that should catch fake trades done internally, which I think was the problem with most of the rogue trading scandals that have cost some banks billions of dollars in losses). With OTC trades, it’s a bit more complicated because the trades need to also be confirmed with the external counterparty but that can be done using standard electronic formats such as SwapsWire that is now used in limited fashion.

Sometimes, in fact often times, the best solutions are also the simplest to implement and make the most common sense, even at opaque financial institutions that specialize in complexity.

Can anyone guess who is the main lobbying force behind this legislation? The smart card companies of course and the Secure ID Coalition, an industry group comprised of smart card manufacturers and related vendors.

In 2010, OMB Chief Peter Orszag was quoted as saying that Medicare and Medicaid combined had nearly $65 billion in improper payments in 2009, of which $47 billion was for Medicare alone. We have heard higher numbers than Orzag gives, or that more like 12%-15% of claims against Medicare are fraudulent or highly ‘abusive’ to the system.

And Congress thinks smart cards are going to get this kind of savings? Adding insult to injury, at least parts of this law may be adopted by the Congressional Super Committee in its recommended debt-limit spending cuts due to Congress on Nov. 23. No wonder our country’s credit rating was downgraded and no wonder we are in so much financial trouble.

Reasons why the smart card advocates are wrong:

a) The smart card advocates are projecting that smart cards will save over $30 billion a year. That would mean that between 37% and 50% of the providers, physicians, hospitals etc. don’t exist or are fraudulent entities. While things are pretty bad in our medical system, I doubt very much they are that bad.

b) In fact, the most serious and consequential fraud and misuse is committed by legitimate users using regular systems, or by unauthorized persons who take over legitimate users’ accounts. Granted account takeover is harder with biometrics and smart cards, but strong authentication has already been successfully circumvented in many instances by sophisticated criminals. (For example, if a doctor is logging into an online system with a biometric and a smart card, the fraudsters simply wait until the doctor is authenticated and then manipulate the transactions to their favor).

c) Similarly, just because a doctor or healthcare provider has a smart card and is authenticated to the systems, does not mean he or she will not make illegitimate claims on the system. It’s imperative to monitor the actions AFTER the user is authenticated and not stop with authentication, which is all that smart cards imperfectly accomplish.

d) Further, and importantly, each person who is issued a smart card must be thoroughly vetted and I didn’t see any evidence in the congressional documentation of an identity proofing program that would be effective enough to keep out the bad players. Identity proofing is a major issue in financial services, as the bad guys find ways to have new accounts issued to them while they evade the financial services firms’ identity vetting techniques. Once they are issued an account, and in this case a smart card to go with it, they can wreak havoc in the system. Surely, this type of identity-level fraud and abuse will be even more rampant in the public sector healthcare system.

This is not to say that (even with all these problems) strongly authenticating all users and providers to the Medicare systems is a bad idea. It’s a good idea but it is only one lower-priority step in fraud and abuse mitigation that will take much more time and money than it is likely worth. I estimate it will cost the U.S. AT LEAST $4-$5 billion (total cost and probably much much more than that) to adopt smart card technology in healthcare and that at the end of the day it may save up to $5 billion in fraud (if we are lucky).

In contrast, the U.S. can spend around $100 million on scoring and automatically analyzing (using pattern recognition) Medicare and Medicaid claims for fraud and abuse, and likely save $40 billion to $60 billion a year. I have talked with some individuals that have closely analyzed Medicare files and have easily found these kinds of savings using fraud scoring and pattern analysis technology.

It’s time to take these analytical technologies into the fragmented and outdated CMS systems. It doesn’t require re-engineering them – it just requires adding a scoring and analytical process BEFORE a Medicare payment is made. Later on, smart-card based authentication can be layered on top of the fraud prevention systems but this should be a much lower priority. We need to spend the money on the systems that will yield the MOST savings, not on putting a pretty and expensive face (or smart card) on top of an ugly (Medicare IT) system.

I typically am an optimist but in this case, I must say I have lost faith in our legislative body to tackle the issue and set the right priorities. True, they are not fraud prevention and security specialists and true they probably have less bandwidth to focus on these issues than many of us do. But it’s also true that:

a) They need to stop listening to the groups with the best paid lobbyists and

b) They are about to make decisions that I estimate will cost the U.S. economy up to half a trillion dollars over the next decade. And that’s a sign of a very ill legislative process that even the best doctors of America won’t be able to cure.

It just doesn’t quit – fraud on the way into the subprime crisis, and now fraud as we try to dig our way slowly out. The techniques are essentially the same as the 2007 legacy fraud rings, except the 2007 goal was to artificially inflate the valuation and sales price, and then extract all the money with a subprime mortgage and its derivatives. This time around, the goal is to artificially reduce the valuation and sales price, while putting the mortgage into default, and then extract the money with a sale, property transfer, or even a new mortgage at the real (higher) valuation. Perhaps there was not as much incentive to stop the fraud and abusive lending practices as we got into this mess, since greed invariably got in the way – but hopefully, with the economy struggling and the market tanking again, there will be more incentive to stop the abusive foreclosure practices that are cropping up as wallets continue to shrink.

Palantir, a technology supplier that specializes in quickly integrating and making sense of all types of structured and unstructured data, has been working with the nation’s largest mortgage lenders and financial institutions on ‘solving big problems with big data management’ (for invariably big revenues that accrue to the vendor, but hey that’s the American way). In working on mortgage pricing and analysis, Palantir inadvertently stumbled across some stark and depressing facts, albeit not at all surprising. By getting its arms around data stuck in legacy green screen systems, it found that over 1% of subprime sales (where a total portfolio could amount to between $100 billion and $2 trillion) was consistently lost to fraudulent and sleazy real estate deals. Here’s how the basic scheme works:

a) Bob Borrower can’t pay his adjustable rate mortgage, now with a balance of $1 million, and the bank has serviced him with a notice of foreclosure. His home is only worth $500,000, based on sales of comparable properties in the last 90 days.

b) Bob goes searching on Google for “Foreclosure Help” and discovers the promises of Shady Foreclosure Prevention Inc. who say they can get him out of this mess if he just sends them his contact information.

c) Connor from Shady Foreclosure Prevention calls Bob the next day and tells him they can help get him out of his mess by short selling his home, whereupon Bob’s Lender (the Bank) will forgive the balance of the loan owed to them by Bob after it collects the sale price. Bob might also qualify for $3,000 to $20,000 in cash incentives from the bank or programs like HAFA.

d) Bob says OK, sounds perfect.

e) Shady Foreclosure Prevention is actually a front designed to drive foreclosed customers to a ring of realtors, appraisers, and mortgage brokers, looking to monetize distressed properties. Connor simply contacts his sister Nancy, who just got her real estate license two months ago, and tells her to ‘arrange the sale’.

f) Over the following months, Nancy only actually receives and submits low bids on behalf of non-arms-length buyers, such as her brother-in-law Joe who will say that he will be happy to buy the house, but alas he can only afford to pay $300,000.

g) Nancy tells Connor and the Bank the news that sadly enough, there was only ONE bid on the house despite their very aggressive and lengthy sales and marketing efforts.

h) The transaction between Bob and Joe goes through for $300K. Bob (or often in these distressed markets, the Bank ) pays Nancy her commission for selling his house, and Joes pays Nancy her commission fees for buying the house.

i) Nancy splits the commissions with Connor from Shady Foreclosure Prevention, per their agreement. Nancy takes Connor to dinner that night, celebrating their latest success and plotting their future ones.

j) The next day, Nancy tells Joe she thinks she can sell his house for $600,000 and Joe replies ‘Why not? Go for it.’

k) This time, it only takes Nancy 30 days to sell the house, this time to a ‘real’ buyer – a family of four. Again Nancy and Shady Foreclosure Prevention make their commissions, and split the $300,000 profit between Nancy, Connor and Joe.

And the cycle repeats. Again and again and again. Nancy and Joe enlist the help of another broker to guarantee that bank-ordered valuations support their shady deals. Eventually, Connor even defaults on his own $1 million mortgage, and sells it to an LLC for $500K, using Nancy as his realtor. The bank, investor, or government-sponsored enterprise such as Fannie Mae, end up losing 25-50 cents on every dollar loaned.

I don’t need to remind anyone how bad this is for a struggling housing market. This ends up hurting everyone – the banks, the government home lending agencies (Fannie Mae and Freddie Mac), the taxpayers and even those who earn too little to pay any taxes. It hurt’s every party’s credit ratings, empties their coffers and damages the economy. Everyone loses except the con artists.

Apparently, this con is very easy to pull off because the systems that process these sales aren’t intelligent enough to see what’s happening before their very ‘eyes’. The mortgage systems were built to pump out and service loans – not to analyze huge amounts of structured and non-structured data. (The outstanding loan value on U.S. mortgages is about $10 trillion).

But by using entity link analysis and pattern based intelligence (what we call Layer Five of Fraud Prevention – please see “The Five Layers of Fraud Prevention and using them to beat malware” ) lenders, government agencies and other entities can get their arms around disparate information, find the abuse and fraud, and stop it once and for all. This technique can work just as well in weeding out an estimated $60 billion in Medicare and Medicaid fraud annually. And it has already proven to yield significant returns in many other use cases, such as credit card bust out, insurance claim fraud and homeland security.

Instead of spending countless hours dragging our country through more uncertainty and inflamed rhetorical sessions, I personally would like to see the U.S. Congress create incentives to use Pattern Based intelligence systems to weed out billions in fraud and abuse. They could then use the savings to pay for causes that matter, such as affordable housing and easily accessed quality medical assistance for the underprivileged. Now wouldn’t that be an anomaly?

For related and more information on some sample fraud rings uncovered by law enforcement trying to pilfer almost $100 million, please see:

http://libn.com/2011/08/04/li-mortgage-firm-charged-in-58m-fraud/

http://www.themreport.com/articles/scam-artist-sting-successful-in-south-florida-2011-08-05