Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members. 

How It Works

The site operates like Twitter, where members can follow other members.  Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.

A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account).  Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post.  For instance, “Starbucks USA 00075424 04/25 CARD #<XXXX> Purchase #<XXXXXXXXX> Newport Bch, CA”, would be converted to just “Starbucks”.

Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase.  With some accounts, a member can choose to show full product details:

Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)

Or just the amount spent:

Michael spent $3.75 at Starbucks

Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews.  Like Facebook, members and followers can comment on the post or hide posts from certain people.  (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.)  Some see the revelation of spending habits as a conscience for shoppers.  Others see it as sharing too much information.  Certain purchases and excessive spending can be potentially damaging to someone’s reputation.  For consumers who want to share everything and have nothing to hide, this is perfect for them.

“Users who share information online are becoming slowly aware of the risks of this new technology.”

Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general.  On the flip side, it could create more competition.  If full details of a purchase are posted, a competitor could lower prices to steal future business.

Privacy Concern and Security Risks

Information sharing and web collaboration were made possible with Web 2.0 technologies.  Users who share information online are becoming slowly aware of the risks of this new technology.    Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.

The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page.  Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.).  After that issue was discovered, the glitch was fixed quickly.

According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.”  Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results.  Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated.  Blippy worked with Google immediately to remove the indexed pages.

Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages.  The company again worked with Google to remove the data.  In both cases, Blippy also contacted – and apologized to – the members affected.

Blippy – and its members – were quite lucky.  The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.

Who is in Control?

Social networking has given people the power to open up that privacy door – all on their own.  At the same time, secure data is at risk when financial information is released into the air.

Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases.  Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them.  Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.

Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud.  As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information.  However, all parties involved are responsible for ensuring data security.  On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers.  Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.

While Blippy thought they were on top of security on their site, the recent data exposure has changed their course.  In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.

On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news.  Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.

Online fraud has evolved and is no longer limited to strangers and stolen cards. Fraud can even come directly from the people you hire to market your products. A type of this kind of fraud is called affiliate fraud and involves affiliate networks. An affiliate network acts as an intermediary between publishers (affiliates) and merchant affiliate programs. They are the people that you hire to drive customers to your site and manage your affiliate activity.

Affiliate fraud comes in many different forms, one of which is deceiving marketing emails that are often considered spam and can give your company a bad name. It is important to market your product or service and use email campaigns strategically. Beware of the many affiliates that may create masked domains of your web site, capturing customers who may not know they have purchased your product and causing a large number of chargebacks.

A large indicator that there is possible affiliate fraud is looking for a large amount of customers coming from the same IP address or that are using similar emails. Many times the affiliate will use a gift card or prepaid card to make purchases and when these cards get close to their next billing cycle they get declined.

There are things you can do to protect yourself against online affiliate fraud. Having a stable and reliable third party reporting system will help minimize your risk. Your software should show how many of the affiliate transactions actually continue to the next billing cycle. It is also important to have a system that has the ability to block affiliates and can provide your business with data that can be analyzed. Solid reporting systems can let you know exactly what affiliate network is sending traffic back to your website.

Affiliates still remain an excellent source of traffic for people who are looking to promote their website or products online, but caution and research should be taken when selecting and monitoring what affiliate network is best for you.

Most may think that banks are not taking on these types of credit card accounts because of the financial state of our banks. There is a big difference between the acquiring side of banking and the issuing side. In fact the acquiring side that handles credit card processing in the banking industry seems to be the only piece still making money and I predict they will continue to generate revenue. There are acquirers out there that are designed to specifically cater to high risk types of online businesses and have flourished in these industries. To make sure your new venture does not turn out to be a big loss, it is important to look for more than just a card processor to partner with.

Some important items to look for when starting a high risk business online:

• Most acquirers that are approving online high risk businesses set limits to how much you can process through your account. It also difficult to avoid a reserve account. Be prepared to have about 10 percent of your monthly Visa and MasterCard processing held for a minimum of 6 months. Also, be sure to pick a partner that provides load balancing services. This will ensure that your account is properly monitored and you are not over burdening one account with transaction amounts that are over your limit,which could result in your account being shut off.
• When you are running a high risk business in a card not present environment, you run a greater risk of chargebacks. An acquiring bank typically does not allow for more than 1 percent in chargebacks. Look for a system that can monitor your disputes and provide quick and easy responses to your bank to prevent them from turning into a chargeback.  This will drastically reduce the percent of chargebacks you get and allow you to continue growing your business.
• Look for a partner that has fraud monitoring systems. With all of the identity theft these days, you want to make sure your transactions are safe and valid cards are being used.
• Make sure to pick a system that is easily modifiable for business growth.

Businesses that fall into the high risk categories are legitimate businesses and can prove to be lucrative if monitored properly. This will contribute to merchant processing  continuing to be a profitable and lucrative arm of banking.

Here are some tips to help prevent identity theft:

1. In Part I of this series, I discussed the importance of generating secure and strong passwords. Make sure your corporate files are safe and all passwords are required to be at least 8 characters long. Make sure they have a random mixture of characters and numbers.
2. One way to ensure your computer is secured is to drop it in a vat of concrete and build a 10-foot tall statue over it. But of course this would make your computer very difficult to use. Keeping your computer safe is much easier than that. First, make sure only authorized people have access to your network. Use a secure network router between your computer and network connections so hackers will have a tougher time finding the computer.
3. Make sure you are keeping your website, software and operating systems updated with the latest patches. You may want to consider purchasing hard drive data encryptors.
4. You should know who has access to your mail (personal and company’s). Access to bank statements, social security numbers, insurance statements, utility bills, and any other mail that may contain financial information. It is also important to protect your trash by always asking yourself the question “Is there any personal information written on this document?” Make sure to shred all important documents, as well as seemingly innocent items like credit card offers and sky miles statements.
5. Order free credit reports to monitor your score and activity every year.

There are ways to fight back if your site has been compromised or your identity has been stolen. You may find local police unable to assist because of the complexity of these types of crimes, as well as their lengthy investigations. But if you persist, you can get a report filed. Make sure to keep adequate records of all occurrences, police filings, and contacts.

Part one of this series talked about identity thieves wanting your password, and we discussed ways to protect against having your passwords compromised. Securing your password seems to be only 25 percent of the battle these days. Many network security breaches, like the Heartland Breach, occurred from within. So it is important to be PCI Compliant internally and know who is working for you.

I wish there were a specific set of characteristics I could post to detect an identity thief, but unfortunately they are as broad as the criminal population itself.  I like to divide attacks by criminals into two categories: internal attacks and external attacks.

Internal attacks are usually traced back to disgruntled, dishonest, and/or careless employees. Some common characteristics of an internal attack are:

1. Computer and data theft:  An employee stealing a PC, laptop, memory stick, or external hard drive.
2. Desk snooping: Look out for employees snooping around a co-workers’ desk for reminders and notes. Sometimes they might even ask a coworker to look something up to see if they should happen to keep a sticky note under a tissue box with their password.
3. The roaming employee: This employee typically wanders around looking over cubicle walls and observing keys that other employees type.

External attacks are usually done by a person that has no direct access to the company or its website. These types of thieves are crafty. They come in many different forms and are always coming up with new ways to get into a website. Some examples of theft to look out for are:

1. Bogus websites: I have only recently learned about how these actually work. These website ape legitimate sites. The design is so similar it can often fool the website owner himself. Consumers enter in their personal information and the thief captures it for their own use.
2. Forceful attacks: The techies call this a brute force attack. This is where a computer is set up to methodically try every combination of letters, numbers, and symbols to break a password.
3. Web page hijackers: These savvy criminals load malicious code on to your computer. The code is designed to redirect your typed web address to another site. This also can cause you to be redirected to one offensive site after another.

Protecting your network and website against identity theft can be costly, but there are many cost effective ways to secure your network. Privacy protection laws must inform customers that their private information has been compromised. This notification alone can cost around $20 per customer. Better to be safe and secure now, than pay the price later.

It is important to first understand what different types of identity theft occur, and then you can find out how to get protection.

The easiest item for a criminal or hacker to obtain is your password. Some common mistakes made when setting up passwords is using names of kids, birthdates, or hometowns. Spelling your child’s name backwards is another frequent mistake. I have even seen people write their passwords on a sticky note, in a notebook or in your PDA. Do not give office assistants your passwords. Remember passwords are used in more than 90 percent of all online network security practices. People use passwords for online banking, shopping, stock trading, and network logons. It is imperative to create a strong password. 

A password alone may not secure your online purchases. Many are turning to smart card security and Power LogOn. Power LogOn combined with Smart Card technology provides the ability to securely store your passwords in a smart card chip, like an electronic safe. This can help prevent a criminal from getting your passwords and personal information. A smart card is a plastic card with an embedded chip that can offer advanced security features to prevent unauthorized access to retrieve and modify stored data.

Power LogOn provides many security benefits such as:

• Passwords can be created by using 20 out of 96 available keyboard characters.
• PIN protected smartcard technology locks the data after three wrong authorization attempts.
• The software works with your PC or network logon, password protected data files, windows-based applications and web accounts.

Password security, without convenient implementation, is not free to the company or website that lacks it. Resetting passwords can take 20 to 50 percent of IT support’s time and costs approximately $70 per incident. This is time and money that could be more wisely used to increase other aspects of a company’s network security.

On Tuesday January 20^th, 2009 Heartland Payment Systems, a New Jersey based payment processor, disclosed that they had been hacked. Heartland Payment Systems processes about 100 million transactions a month for over 250,000 merchants. Although Heartland has not released numbers on how many card numbers have been compromised, it has been said that this breach will set a historic record. A breach of this magnitude will no doubt create a surge in fraudulent transactions all across a wide range of ecommerce sites and affect online purchases for a long time.

If you are an online business owner, be prepared for a rise in chargebacks and declined transactions. It is now more important than ever to have systems in place to monitor fraudulent activity. Implementing alert systems that detect a fraudulent transaction before they go through is a way to stay one step ahead. Another is to make sure you require AVS and CVV2 confirmations on your online orders.  Most importantly, have clear purchase terms and conditions on your site.

Only Heartland and the U.S. Secret Service will know the true extent of the breach but I am sure that we will all feel it in one way or another. If you are worried you are a card holder who may have been compromised, immediately notify your bank and have a new card issued. Contact all three credit bureaus and put an alert on your account.

This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Many creditors have complained that there is not a clear cut way of indicating how they will be audited, and it has not been indicated how penalties will be assessed. The FTC Enforcement Policy now clearly defines all the parameters for creditors to follow. Going forward there will be no question that if you fit into the category of “creditor” you will be required to comply with Red Flag Rules. Still many organizations feel they are flying under the radar or won’t be caught. What does a company have to gain by allowing identity theft to occur?

Rules to be followed range from watching for suspicious social security numbers that may be on the Security Administration’s Death Master File to suspicious, or repeated, address or phone number tracking. Plain and simple, following Red Flag Rules will reduce identity theft and every business should want to participate in keeping our personal information safe.

Illegitimate chargebacks are costing business owners, and it’s time to fight back against dishonest customers and fraud. I have surveyed 50 of my online merchants and found that most of their chargebacks come from people who order items online, and then in an attempt to keep the product without paying for it, dispute it. I consider this shoplifting.

Part of the problem seems to stem largely from regulations put in place stating anyone can dispute any charge for any reason. Naturally, crooks will use these regulations to their full advantage.

Many online merchants are losing the battle against chargebacks and feel there is nothing they can do. Online merchants should not give up; not all chargebacks are final. The best option is to respond to the chargeback letter immediately. Keep in mind that if your bank still honors the chargeback, you have the right to go after the consumer plus any costs you incur as a result.

Some key tips for combating against chargebacks are:

1. Use a trackable shipping service and require signature on delivery. This provides you with documentation if a dispute should arise. If you sell e-books or other downloadable items, it is a good idea to add something tangible for tracking purposes.
2. Make sure your return policy is clearly posted on your website. Post time limits for refunds and associated fees, such as restocking fees. Also note the condition of the product.
3. Post a chargeback policy on your website. Don’t be afraid to report customers to collection agencies for excessive chargebacks.
4. Make sure to pick a gateway that has a chargeback support feature. These gateways can help you find the best way to combat chargebacks and the correct way to respond to chargeback notices.

It is better to be safe than sorry. If you have specific chargeback issues and are looking for the best way to respond to your notices, feel free to comment. We would love to help.