Category Archives: Fraud & Security

Rather like Brexit, the Second Payment Services Directive (PSD2) is coming and whether you like it or not, it will bring important and sustained changes. In the case of PSD2 those changes will disrupt the way that payments work all around Europe. So, what will the changes be? While much is uncertain, we can highlight some impacts which are almost guaranteed. In particular, those at the rock face of PSD2 agree on Strong Customer Authentication (SCA): Do whatever you can to avoid it. There are good reasons for PSD2 uncertainty. Key parts of the directive aren’t fully documented. More importantly, because the programme has been designed to be open to interpretation, to be flexible, even when it is written down, there is a lot of space for interpretation. And there are plenty of people who want to fill the gaps in to suit their own ambitions. Who will emerge as... [Read More]

We recently commissioned a study from independent research company Ovum on how organizations are tackling cybersecurity and what they plan to do next. Losses because of a data breach or other cyberattack can be severe, particularly when factors such as customer and shareholder confidence are taken into account. We therefore expected that cyber risk insurance would be an increasingly important way in which organizations are mitigating their risk. The results were far from uniform: The UK was the most insured country we surveyed, with 69% of respondents holding some kind of insurance, and the USA was the least insured – only 51% of US respondents had any kind of cyber risk insurance. Across the industries surveyed, financial services firms were the most likely to be insured (71%), and healthcare the least likely (26 percent). Even when businesses have invested in cyber risk insurance, it’s unlikely to cover them for all... [Read More]

This is a guest post from Nikola Marcich with the Policy team at the Software & Information Industry Association (SIIA), the principal trade association for the software and digital content industry. Walking into Bernie Madoff’s home in 2005, you would not have found piles of money under a mattress, behind a sofa or in his garage. At the time, Madoff had been running an elaborate Ponzi scheme through the wealth management arm of his business that reached $65 million by the time of his arrest in 2008, deliberately hiding the money intricately within the financial system. Serving as Madoff’s primary bank for over two decades, JP Morgan was one of the culprits of Madoff’s fraudulent actions and money-laundering tactics. In their innocent incompetence to identify clear red flags about Madoff’s returns and file a Suspicious Activity Report (SAR), JP Morgan’s was fined $1.7 billion in 2014. JP Morgan’s fine highlights the... [Read More]

The use of scores that rate a firm’s cybersecurity risk — such as the FICO® Enterprise Security Score — is picking up momentum. In an effort to ensure that these scores consistently add value, and to ensure that they help rather than harm businesses, a group of firms recently convened to develop industry standards for cybersecurity ratings. FICO joined this group, along with several Fortune 500 companies and a number of the country’s biggest banks, and I am proud of the principles we developed. By creating these principles, we sought to: Promote quality and accuracy in the production of security ratings Promote fairness in reporting Inject best-practice decision management governance standards into a new domain Include a coordinated process for adjudicating errors or inaccuracies in reported content Establish guidelines for appropriate use and disclosure of the scores and ratings Why were principles needed? One reason is that there is a... [Read More]

A recent survey carried out on our behalf by research company Ovum found that 48% of organizations think that in a year’s time, an assessment of their cybersecurity will show improvement. Only 3% think that their cybersecurity position will have worsened. Most companies also think they are doing well compared to their competitors; a mere 6% think their cybersecurity is below average and 54% think they’re above average or a top performer. This is statistically unlikely. It seems that many are taking an optimistic view of their cybersecurity. Could a lack of objective measurement be to blame? Here’s what our survey participants said: It is encouraging to see that 94% carry out some form of assessment. However, consideration must be given as to how objective the methods used are. 38% of respondents say they self-assess based on their own criteria, this is the largest and possibly the most worrying category.... [Read More]

As new countries such as those in the Nordics embrace contactless payments, people are asking about the impact on fraud. We discussed this last month at the DT Fraud Conference 2017, where Peter Bayley from Visa and I debated some of the issues arising. The good news is that contactless doesn’t appear to increase fraud. But it could. The first thing to note here is that the type of fraud consumers worry about is hugely unlikely. This is “proximity intercept,” where a card’s signal is grabbed by a fraudster’s device. The fear of this is played on by the manufacturers of physical RFID wallets, and sometimes even by the media. It sounds plausible but has not proven to be a big problem. The more likely potential threat of contactless is actually more complicated, and involves “disowned” transactions where the consumer fails to recall a transaction; in extreme circumstances this can... [Read More]

Many of you reading the headline will be thinking – yes we do! We are even getting bored of talking about PSD2. But I’m not talking about us in our payments bubble. I’m talking about the general public. Small business owners and people in love with their Amazon 1-Click don’t know that PSD2 is about to rock their world, or at least change how they take and make payments. Last night I went to a local pub and while sipping my Merlot noticed a sign behind the bar “50p surcharge on card payments below £10”. It’s not unusual to see variations of this sign in small businesses, and no one has told them that from January they won’t be able to surcharge. I spoke to the barman, who turned out to be quite savvy about card payments, but he hadn’t heard of PSD2 and didn’t know that this would happen.... [Read More]

Given the significant consequences that face board members in breached organizations, you might expect that they are giving cybersecurity their full attention – but are they? Our recent survey with research and consulting firm Ovum sheds a revealing light on this.  Do they think the problem will go away? No one is expecting cyber-attacks and breach attempts to stop, and only 1% of respondents think that levels of attack will go down in the coming year, while 62% expect the rates of attack to increase. This reflects recent experience in their own organizations, 60% have experienced an increase in attempted data breaches in the past year, 24% of those polled have seen attempts increase in volume by more than 25%. Verdict: Not complacent – they recognize that cyber threat is on the increase. Are they investing enough to fight cybercrime? Although 62% of organizations expect cybercrime attack rates to go... [Read More]

Its been a year since the Panama Papers were leaked to the public. The leak of 11.5 million digital records exposed  the dark deeds of dirty money and tax evasion and burst the bubble of pretense that the world is effective at dealing with corruption. Investigations were launched in 80 countries , with twelve national leaders among 143 politicians, their families and close associates from around the world known to have been using offshore havens to dodge taxes and hide assets. As the fallout out continues to ripple across the world, we decided to ask 37 executives from financial institutions across the Asia Pacific about tax evasion and how they thought it would impact the region. One in five banks in Asia Pacific say that they expect tax evasion to increase 100 to 500 percent over last year’s levels according to a recent poll by FICO. This is despite new reporting regulations being introduced... [Read More]

Last week alone, a New York hospital, a US car washing business and a UK online retailer all suffered headline-making data breaches. There is no fool-proof cybersecurity defence, so businesses of all sizes need to consider not only how they can prevent breaches but also determine what they will do should the worst happen. Additional losses are heaped on companies that fail to manage the fallout from a breach well. Poor customer communication, disastrous PR and a slow or ineffective response all damage reputation, lose customers and worry shareholders. Despite this, a new, independent cybersecurity survey we commissioned with independent research and consultancy firm Ovum shows that only 51% of companies surveyed have a tested data breach response plan. Looking across the six countries we surveyed, it’s clear that some are doing better than others, though none had excellent coverage on this question. The Norwegians are top of the class... [Read More]