Acquiring and Digital Security

News

Good day! The OctoStrategy team is on the line. When it comes to money and dealing with it, it's important to consider the security aspect. Acquiring and digital security is what we want to talk to you about today.
What is card acquiring?

Convenient payment methods not only enhance the customer experience, but also help you expand your business into international markets.

That's why acquiring businesses establish relationships with banks or licensed payment processing companies to get an account to process transactions. But becoming a credit card acquirer is an extremely complex process, requiring multiple technical system integrations, merchant contracts and certifications before you can process transactions.

Because the process is complex, an acquiring bank cannot offer the full range of global payment methods available.

 
What is a merchant acquiring?

Acquiring is the process by which a bank or licensed company establishes business terms with credit card networks to offer merchant accounts to process credit/debit card transactions.

Merchant acquiring is a range of services, from processing and making payments. It is conducted using payment cards. Simply put, merchant acquiring is a service provided to merchants that allows them to accept credit and debit card payments.

The various stages of the payment process are covered by a global payment company or merchant acquiring bank, which manages the entire process.
 

Acquiring infrastructure

The term "acquiring" in the world has evolved in a relatively short time from a purely professional term that implied the involvement of "service points"
to accept cards, to the designation of the entire complex of businesses to create and develop the infrastructure of cashless payment and cash service at retail and service outlets.

An example of the first was a banking mechanical device, an imprinter, which transferred an imprint of embossed details of a customer's bank card to a paper
bank card details on a paper carrier - a multilayer cheque.

However, the development of technological innovations has led
to the emergence of new acquiring instruments. Nowadays in this sphere expensive POS-terminals are used which cost often becomes a
stumbling block in relations between banks and small business.

 
PoS Terminal Management System

Terminal Management System means local hardware that controls access to the Terminals Assets and located at the Terminals Facilities, what can be loaded and the loading process and other tracking and inventory matters.

POS means accessories used in commerce (point of sail). The name POS terminal is an ambiguous term. Sometimes it refers to a separate device that reads bank cards, which allow customers to use cashless payment. In addition, a POS-terminal may be referred to as complex equipment that includes a special computer with software, a barcode scanner, a receipt printer and a card reader.

In commerce, you can also encounter references to POS systems. They are similar to POS-terminals in function, but the difference is that the systems are separate technical devices connected to a control unit, while the terminal is a monoblock, where the computer, monitor and other components are connected in one body. Interestingly, abroad there is no such division, and all the equipment is simply called POS-machines.

 
Acquiring security

Acquiring security consists of security of all units providing transaction processing (POS-terminals, payment gateways and processing center), as well as of data channel security.

Compromise of any of these elements can lead to financial losses for acquiring bank customers. And in special cases it can serve as an "entry point" into the internal infrastructure of the bank itself.

In order to prevent security incidents and comply with the PCI DSS it is important to ensure continuous protection of networks, systems and applications, correctly use the mechanisms of cryptographic protection of data, timely track and eliminate vulnerabilities.

 
Security and vulnerability of cards with contactless (NFC) payment.

Let's look at examples of contactless theft from bank cards.

The first one is theft of funds through a fraudulent mobile POS-terminal or a special device, which will create a fake purchase and 'force' the victim's card to pay for it," said the expert.
However, this way has serious limitations: an abuser needs to have a bank account, registered in the name of a legal entity, and a payment terminal, registered with the tax inspectorate. In this case the account is likely to be blocked because of clients' complaints and the intruders will not have time to withdraw money from it.

It is a typical case, expected by many people - when a man walks in the transport, puts a mobile terminal to his bags/pockets and withdraws money. Why in transport - it is obvious, this is the ideal place to lean unnoticed in the crowd, the terminal to the bag / purse / pocket where the victim can have a bank card with contactless payment.

The second way is the reading of the card data, its number and expiration date by a special NFC-camera (a device for reading data from contactless cards) for further fraud attempts with card-not present transaction (CNP), for example for payment in online stores.

For a start we should note that the card chip is in fact a microcomputer with its own processor, memory and operating system. Therefore, the method previously used to copy cards with a magnetic stripe is completely impossible here.

Let me remind you that the device called "skimmer" was attached to the slot for ATM cards, then when inserting the card it read the magnetic stripe going through it and recorded it in its memory and an intruder could later on record this data to any card with a clean magnetic stripe (the so-called white plastic) and use it for purchases in stores or, if he could find out the pin-code for this card, withdraw money from it at an ATM as well. Now, from the card you can not just "read the chip", you can only do with it a certain exchange of commands and data, described in detail in the specification of EMV.

The third option is called "Relay-attack" which outwardly resembles the first method - theft through a terminal, but in fact, using a fake card and a special gateway device allows one to make real purchases from another's card.

Generally speaking, there are two scammers involved in the implementation of a relay-attack. One is near the victim who keeps the contactless card in his wallet (Person 1), and the other is near the cash register of the store where the purchase is made (Person 2).

The fraudster Person 2 has a special microprocessor card supporting, on the one hand, a standard interface (contact or contactless) to work with the real terminal in the store, and on the other hand - a radio interface that operates in accordance with one of the communication protocols, providing communication at a distance of several tens of centimeters to several meters (for example, ISO 15693, ISO 18000).

With such a radio interface card can communicate with special equipment fraudster Person 2, which, in addition to supporting communication with the card, provides the organization of remote radio channel (for example, in accordance with the protocol Wi-Max (IEEE 802.16) with a contactless terminal controlled by the cheater Person 1.

Further, the fraudsters act as follows. Fraudster Person 2 gives the cashier to pay with his fake card (probably independently touches the reader with a contactless card). Then all the commands of the terminal installed in the real store through the card of the fraudster Person 2, its special equipment and fraudulent terminal Person 1 are transmitted to the real contactless card of the unsuspecting victim. The responses of the victim's card to the real terminal's commands along the same route, but in the opposite direction, are returned to the real terminal."

Contactless cards also have some vulnerabilities, their use in practice is either disproportionate to the possible profit received in relation to the cost of equipment (relay-attack) or very risky due to the inability to obtain the production and the inevitability of exposure.

In addition, the possibility of any of these methods of fraud is fundamentally cut off if the purse (purse, pocket) of the victim is kept near more than one contactless card. Actually, this confirms the fact that all recent news about card thefts are mainly related only to the methods of "social engineering".

So, you better don’t worry about it, everything should be fine ;)

 
Online Banking Security

Another thing is digital banking (online and mobile banking). Those things makes managing finances easy. With digital banking technology, you can pay bills, deposit checks and transfer money from wherever you’re located. Due largely to their convenience, online and mobile banking are the two most popular ways to bank.

But there are also some ways to steal your money. While reputable financial institutions implement a slew of security measures, you can take some steps on your own to keep your financial and personal details out of the hands of hackers.

We collect six simple ways to protect your online banking information.

 
Choose Strong and Unique Passwords

Your password can create an opening for hackers, even if you don’t realize it.

Some common mistakes you may be making with online banking passwords include:
  • Using personal information, such as your name, address or date of birth
  • Choosing shorter passwords
  • Relying on common words or simple number combinations
  • Using the same password for multiple logins
  • Not updating passwords regularly

Those things can make it easier to remember your passwords, but they make it easier for hackers to guess your password and access your online banking information.

Solution is:
  • Choose longer passwords, such as a phrase rather than a single word
  • Use a mix of upper and lowercase letters
  • Include numbers and special characters
  • Avoid common sequences, such as “1234”
  • Avoid using personal information, such as your name, pets’ names, date of birth, etc.
  • Don’t store your login details in your online banking or mobile app
  • Don’t write passwords on the back of debit or credit cards or keep them in your wallet
  • Update your online banking passwords regularly. Change them every three to six months to lower the odds of your password being stolen or decoded by hackers.

And consider using a password manager to store and protect your passwords—and make using longer and more complicated passwords easier.

 
Enable Two-Factor Authentication

Two-factor, or multifactor, authentication can add a second layer of security verification when logging in to your online or mobile banking account. First, you enter your login name and password and then you have to pass a second security test.

For example, you may need to enter a special code, verify your account through an automated phone call, use biometric verification or identify an image. This makes it difficult for a hacker or identity thief to unlock your account, even if they have your online or mobile banking password.

 
Steer Clear of Public Wi-Fi

Public Wi-Fi is convenient when you need to stay connected on the go, but you can’t count on it to be secure.

If you must access online banking or mobile banking with public Wi-Fi, you better follow this tips:

Disable public file sharing. Look up how to do this for your operating system.
Stick with sites that are secure. Look for “https” in the site’s URL, which triggers the lock icon in your browser. Your laptop or mobile device’s firewall may automatically flag sites that are deemed unsafe.
Consider using a virtual private network (VPN). This creates a private network that only you can access. You can set up a VPN through your mobile device or laptop using a VPN service.
 

Sign Up for Banking Alerts

Banking alerts notify you when certain actions occur. You receive near-instant notifications of any potentially fraudulent or suspicious activity. It’s often possible to receive email or text alerts for the following:

Low or high balances
New credit and debit transactions
New linked external accounts
Failed login attempts
Password changes
Personal information updates

If you get an alert and suspect fraudulent or suspicious activity, contact your bank or credit union immediately and change your online and mobile banking passwords.
 

Be Wary of Phishing Scams

Phishing is one of the most common methods identity thieves use to gain access to personal and financial information. This kind of scam usually involves tricking you into giving up your information.

Phishing scams can take different forms, but they’re often email or text scams. For example, you might get an email that looks like it came from your bank, telling you that you must log in to your account and update your information.

You click the link and log in to what appears to be a legit site but is a dummy site. Or, clicking a link downloads tracking malware to your computer, allowing identity thieves to log your keystrokes.

Either way, you’ve given up your login details without realizing it. For this reason, it’s important to scrutinize closely any emails that request financial or personal information.

Here are some tips for avoiding online banking phishing scams:

Verify the sender’s email address. Call your bank and ask if it sent you an email. Verify the email address that was used.
Hover over links. Hovering over a link inside an email can reveal where it will take you.
Don’t share personal details. If you get an email from your bank asking for information, call your local branch or customer service to verify that it’s legitimate before sharing any details.
 

Choose Trustworthy Financial Apps

Financial apps, including mobile banking apps, can help with banking, paying bills, sending money and shopping. But they’re not equally secure.

If you plan to use your bank’s mobile app, make certain you’re using its official app. The best way to do that is to download the app from your bank’s website. If you’re downloading the app from the App Store or Google Play, verify that it’s legit by checking the developer details and reading reviews.

 
Final word

Online banking offers convenience and control over your financial life. You can mitigate the risks by being proactive and protecting your online banking information. Doing so decreases the odds of your information ending up in the wrong hands.
Contact Us