Every year has its over-the-top data breach affecting hundreds of millions of people. It’s like RuPaul’s Drag Race, but with hackers vying like divas for the most dramatic performance in stealing data. Last year it was Marriot. 2017 had Equifax. And who could forget Miss 2016, AdultFriendFinder? These hacks have far reaching consequences that affect all of us, especially merchants. While hacks of big data aggregators like CapitalOne make sensational headlines, smaller businesses like yours are the preferred target of hackers looking to steal and sell data.
So far this year, CapitalOne looks like they’ll be smearing their mascara as the hacker’s queen of 2019. CapitalOne was quick with the PR machine, claiming that “no credit cards numbers were taken”. But that’s really just a smokescreen; the data is definitely fueling the next wave of credit card fraud. The fact that they used that claim as damage control goes to show how little people know about how their data is weaponized.
WHAT THEY GOT
On July 19, 2019 the story broke that CapitalOne’s database of credit card applications spanning all the way back to 2005 was hacked. Apparently when CapitalOne asks, “What’s in your wallet?” they mean everything, so they can keep a copy of it, for a very, very long time. CapitalOne was quick to assure us that the breached data was just a fraction of a percent of the total applicant data they have… So there’s that.
Though the breach did not include credit card numbers, it did include SSNs, addresses, and bank account numbers, reportedly impacting 106 million people. This information is known as “fullz” or full sets of personal information. Though this information is in less demand than credit card numbers by fraudsters, it still valuable for identity thieves who can commit far worse than criminal shopping sprees.
WHERE IT GOES
Luckily, the perpetrator was caught in short order, thanks entirely to her bragging about it at nerd hangouts/FBI honeypots like GitHub. However, her intent seems clear enough; she was out to cash this information in, and she had plenty of time for that. All it takes is access to the dark web. There, you can find hacked data of all sorts for sale, ranging from ready-to-use credit card numbers on to more complex packages of fullz.
Instead of buying a ready-made stolen credit card number, crooks create fraudulent identities with these fullz, and then apply for credit cards etc. with that ID. It takes a higher level of fraudster to turn this information into something fungible for money. So CapitalOne was not incorrect to assure us that no credit card numbers had been hacked. But given enough sophistication, the breached data can be used to do far worse like falsify official documents or launder money.
WHAT IT’S WORTH
While ready-to-go credit card numbers fetch a hefty price — hundreds or even thousands of dollars — fullz are sold for far less. The problem is that while credit card numbers can be invalidated, SSNs and personal information like birthdates are forever — The fullz hacked from CapitalOne will be used by fraudsters for a long time to come, and will be harder to intercept. So even though this information fetches less on the dark web, to a skilled end-user, it is far more valuable because they can construct fraudulent identities with it forever.
THE MESSAGE FOR MERCHANTS
As a merchant, you are also collecting information just like what got hacked from CapitalOne. Your transaction data carries some of the same data points as fullz contain: billing addresses, mailing addresses, dates of birth. You too can be a target for a breach, albeit one that won’t make the hacker hall of fame. And unlike the CapitalOne perpetrator, most “professional” hackers prefer to stay under the radar. So in this regard you’re an even better target than a large-scale fullz aggregator like CapitalOne.
Don’t be the one that helps supply the fraud epidemic with more drama! Here are just a few steps you can take to safeguard the transaction data you collect:
- PCI Compliance: The Payments Card Industry is the trade organization of the card schemes and they maintain best practices on protecting data in transactions. Merchants can assess their compliance by running a vulnerability scan through the PCI Security Standards Council.
- Use 3DSecure for transactions: 3DS is a security protocol where authentications are sent over secure channel and are handled by the cardholder’s issuer. Obviously, the process is a lot more complex than that; you can learn more about 3DSecure transactions here.
- Update your APIs: Updates are created when vulnerabilities are discovered and patched. If you’re transmitting data for representment through Eliminator, Order Insight, VROL etc. like any application, they need to stay up to date to keep ahead of hackers.
ChargebackHelp clients have access to all of this. Our gateway Billapay is PCI compliant and 3D Secure. And we help collect and transmit transaction data securely for representment by keeping all integrations up to date. Find out exactly what we can do for you! Drop us a chat down on the right, shoot us an email, or go old-school and call us 1.800.975.9905