Email Breaches, the Connection to Same-Day ACH and a little “PCI”
Recent Email Breaches
Regrettably, we have additional instances of email breaches to report this week. According to a report by Reuters, there is an active trade of hundreds of millions of hacked usernames and passwords for email accounts and various websites within Russia’s criminal underworld.
Hackers stole a total of 272.3 million accounts, with the majority belonging to users of Russia’s popular Mail.ru service. This incident is currently unfolding and is already considered one of the largest collections of stolen credentials since major cyber attacks targeted prominent U.S. banks and retailers two years ago.
TechRadar says that while it’s not clear “how recent the username and password combinations are… the stolen credentials could be abused multiple times by hackers. If you’re on Gmail, Yahoo or Hotmail then the best course of action is to change your password.”
Connection to ACH and Same-Day ACH for Email Breaches
The email breaches have another connection to some security writing in the news. We’ve talked about ACH here, of course. As our own tutorial has it, “basically, ACH allows a merchant to accept payments by check without having to have a paper check in hand. This means that even an online business can offer their customers the flexibility that comes with paying for products and services by check.”
We’ve also told you about the push from the government to institute “ same day ACH ,” so the payments would “clear” faster. As Pymnts.com is reporting “same Day ACH is slated to see its first rollouts among U.S. banks and FIs this September.”
The article talked about some of the “operational challenges” the stepped-up payments will face, working “with three windows a day now, instead of one… Fraudsters will pick up the opportunity to jump transactions right before window closure,” meaning there’ll be less time to review them.
The problem occurs when an employee is attempting to authorize a payment based on instructions from someone pretending to be a CEO or CFO. This situation requires banks to remain vigilant in blocking fraudulent transactions, even if the employee believes it to be legitimate.
So the combination of stolen business “credentials” — email logins, and more — combined with the shortened window for verification presents more opportunity, in the near term, for additional fraud.
PCI Standards and Multifactor Authentication To Protect From Email Breaches
Meanwhile, there are other, ongoing, anti-fraud initiatives in the works.
One of the biggest changes is that “with the PCI DSS 3.2 standard, all personnel with non-console administrative access to the cardholder data environment are required to have multifactor authentication.”
In other words, the chain of who needs to “authenticate” will grow. We’ll have more about that next week.
Until then, go change your personal, and business, email passwords. And contact your AVPS Rep for any help you need with PCI-compliant upgrades, EMV POS devices or more.