Tailwind Solutions explores why a priority for retailers will be ensuring card readers are physically secure at Point of Sale in 2014
The scandal at Target and Neiman Marcus stores over the 2013 Christmas period where up to 110,000,000 customers had personal and financial data stolen in Point of Sale skimming scams, has had long ranging consequences for the US card payment industry. EMV (Chip & PIN) adoption is now being accelerated and card issuers are changing the rules on how responsible a store is for data theft. From October 2015, instead of card issuers covering two thirds of any card related fraud, merchants will be liable for the full amount where an EMV-compliant card has been used in a payment terminal which is not EMV-compliant. However, card issuers will cover all fraud that results from the use of any card in any EMV-compliant terminal. But will EMV be a catch-all solution for Point of Sale card payment fraud? And would EMV have prevented the black Friday skimming at Target?
Malware known as ‘Kaptoxa’, part of the BlackPOS malware family is the culprit in the Target data theft, scraping data from the Windows based payment system after it’s been decrypted to be checked in a process called ‘transaction verification’. BlackPOS malware first appeared in early 2013 but the most successful new variations appeared in November 2013 and were designed to hide their network traffic within the business day and to intercept credit card information after data is decrypted by ‘scraping’ data from process memory. Both the Cyrillic character set and the signature ‘Kaptoxa’ suggest a Russian origin for the malware[i].
According to McAfee, the malware must be deployed onto a system which carries out external payment verification so although it is still not clear how the malware made it onto the EPOS systems of major retailers, it is likely to be through phishing or hacking rather than via the POS terminals or card reading machines. Because the data was stolen from the payment system, EMV would not have prevented the fraud, only better IT security which prevented the original malware infection could have achieved this.
It’s therefore easy to conclude that if retailers plug the holes in their IT security, criminals will no longer be able to access customer card data and the problem will be solved. However it is more likely that as IT security becomes tighter, criminals will turn their attention to the card payment machine itself where there are multiple opportunities for data theft and where ‘real world’ security is often much more lax than in the cybersphere.
The card reader itself is a hot target for criminals, who have a host of ways to steal customer data. This can be as simple as looking over the shoulder to see another shopper’s PIN (shoulder surfing), adding a chip to the card machine, installing malware onto the payment machine, to stealing and substituting the card reader itself.
At Blackhat 2012 two researchers, in a talk called PinPadPwn[ii], demonstrated how a malicious smart (Chip & PIN) card can be used to place malware onto a POS payment device and display a fake messages to the retailer. The researchers also highlighted that hardware manipulation where a chip is physically added to the terminal or where a payment machine is stolen and replaced with a machine which has been adapted by criminals, are live issues for retailers around the world.
So while IT network security is very important, protecting the hardware by ensuring no one can gain access to the back of the card payment machine or steal it should be just as high on a retailer’s priority list.
Ideally, a card payment machine should be secured in place with a mount which prevents criminals from gaining access to the rear of the machine when in situ and from stealing and replacing the machine. A lockable mounting device where the card machine can only be removed with considerable mechanical force lowers risk, and when combined with network management tools which allow the devices on the network to be monitored and each machine recognised, risk is minimised as far as possible for physical interference.
Determined criminals have been known to try colluding with store staff to get around these types of security measures. Merchants can prevent this by installing lockable bases for the card machines and limiting the number of staff who hold keys. Regular checks can help ensure that the correct number of machines are all present on the network and RFI technology can ensure they are the right machines. A hologrammed security sticker which shows clearly if the seal is intact can be useful to indicate the machine has not been tampered with and is still secure. Spare machines in storage should be securely locked away and accounted for, with care taken to ensure they are not accessible to casual staff or to the general public.
Fraud protection is not the only benefit of mounting a card payment device. Card machine manufacturers use sensitive security systems which shut the machine down and wipe data if they detect activity that could indicate a ‘tamper’. This is a valuable way to protect customer information from genuine attacks, but a false tamper can be costly to the retailer, as the machine generally needs to be replaced. Mounting the machine reduces handling by customer and checkout staff, and the incidence of false tampers. Mounting also reduces the wear and tear on the machine and its cable as it’s passed backwards and forwards to the customer and extends the life of the machines.
So, although criminals will always find new ways to target payments at POS, taking care with the physical security of your card payment technology by mounting your card reader as securely as possible, can be just as important to protecting your customer’s payment data as ensuring your IT network is secure. And the peace of mind you gain knowing you’re protecting your customers is just as important as the financial benefits gained from extending the lifespan of your payment technology.
The writer, Ailsa Bates, is Marketing Director at Tailwind Solutions, which supplies secure and lockable mounting solutions for all kinds of card reader equipment. For more information visit: www.tailwind-solutions.co.uk,
Follow Tailwind on LinkedIn: http://www.linkedin.com/company/tailwind-solutions-ltd?trk=top_nav_home or
Follow on Twitter: https://twitter.com/TailwindSolns
[i] See McAfee’s Threat Advisory for more information: “https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf”>https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf
[ii] For more information see:
Volkswagen CEO tweets, Musk-style, on market-cap milestone
By Thyagaraju Adinarayan and Christoph Steitz
LONDON/FRANKFURT (Reuters) – When the market value of Germany’s Volkswagen briefly rose above the 100-billion-euro mark on Wednesday for the first time since 2015, the boss of the normally staid carmaker took to Twitter, Elon Musk-style, to crow about it.
VW shares soared as much as 6% after investment bank UBS raised its price target on the stock by 50% and said the company’s new electric vehicle platform was set to challenge Tesla’s dominance in the battery electric vehicle (BEV) market.
Herbert Diess, chief executive of VW Group, highlighted the UBS note on Twitter and shared the market capitalisation milestone.
“The market has been waiting for our #BEV-ramp-up and wanted to see some proof points,” Diess posted.
Traders reacted with comparisons to Tesla chief Elon Musk who frequently uses Twitter to talk up products developed by his companies, cryptocurrencies or other buzzing technologies.
The comparison, at least for now, must end there.
Diess sent his first tweet using the “@Herbert_Diess” handle less than two months ago and has since tweeted 51 times. While he has managed to amass almost 25,000 followers in this time, Musk can boast of 48.3 million.
“The sheer fact that he started his own account apart from the official VW account tells me, that between the lines he wants to express: We are here,” a Germany-based trader said.
Though unrelated and more a market-moving tweet, another trader highlighted instances of a probe by the U.S. Securities and Exchange Commision on Musk’s tweet in 2018 that he was considering taking Tesla private at $420 a share.
EV RACE VS. MARKET CAP RACE
But despite recent share price gains — up 20% this year — VW’s market capitalisation is just one-sixth that of Tesla. Shares trade 7.5 times 12-month forward earnings; possibly its role in the EV transition is not fully priced.
Tesla meanwhile trades at 160 times 12-month forward earnings, levels many consider bubble-like.
On the market capitalisation gap, UBS said VW’s only takes into account its EV business out to 2025, and doesn’t price its cash flow-rich legacy business, indicating there is room for the share price to rise.
It added that VW would likely “master” the transition to close the volume gap with Tesla in 2022.
At 300 euros, UBS has the most bullish price target on VW. Analysts’ median price target on its shares was 191 euros, according to Refinitiv data.
Preferred shares, which are listed in Germany’s benchmark DAX index, hit January 2018 highs on Wednesday, while ordinary shares rose as much as 5.6% to their highest since July 2015, two months before the diesel scandal broke.
VW closed 4.7% higher at 185.18 euros per share on the day, taking its market value to 99 billion euros.
Tesla vs VW https://fingfx.thomsonreuters.com/gfx/buzz/ygdvzellrpw/Pasted%20image%201614767907811.png
(Reporting by Thyagaraju Adinarayan in London and Christoph Seitz in Frankfurt; Editing by Sujata Rao and Jonathan Oatis)
UK offers ‘super deduction’ to temper 25% corporation tax hike
LONDON (Reuters) – Britain will raise corporation tax to 25% from 19% from 2023 to help pay for the cost of the COVID crisis but tempered the tax rise with a “super deduction” to spur investment, finance minister Rishi Sunak said on Wednesday.
“The government is providing businesses with over 100 billion pounds of support to get through this pandemic so it is fair and necessary to ask them to contribute to our recovery,” Sunak told parliament.
“Even after this change, the United Kingdom will still have the lowest corporation tax rate in the G7,” Sunak said.
Sunak said he would encourage businesses to invest their cash reserves with a so-called “super deduction” to reduce their tax bill by 130% of the cost.
He said that under existing rules, a construction firm buying 10 million pounds of new equipment could reduce their taxable income in the year they invest by 2.6 million pounds but with the “super deduction” they could reduce it by 13 million pounds.
“We’ve never tried this before in our country,” Sunak said.
Sunak quoted the Office for Budget Responsibility as saying it would boost investment by 10%; around 20 billion higher per year.
“It makes our tax regime for business investment truly world-leading, lifting us from 30th in the OECD, to 1st,” he said.
“This will be the biggest business tax cut in modern British history.”
The United Kingdom introduced corporation tax at a rate of 40% in 1965. It rose to a high of 52% in the 1970s.
In the 1980s, the main rate was cut to 35% under Margaret Thatcher, then during the 1990s from 35% to 30% and eventually to 20%.
The rate was cut to 19% from 2017 and was supposed to be reduced further to 18% and then 17% but has been held at 19%.
Sunak said small businesses with profits of less than 50,000 pounds a year would be charged only 19% – so around 70% of businesses would be unaffected.
He also said the government would taper in the tax on profits above 50,000 pounds so that only businesses with profits of 250,000 pounds or more – around 10% of companies – would be taxed at the full 25% rate.
(Reporting by Guy Faulconbridge, editing by Estelle Shirbon)
Acting as an attorney during Covid-19: Duties, safeguards and dealing with disputes
By Philip Collins, Partner at Winckworth Sherwood
For many elderly and vulnerable people, March 2021 will mark one year since they began heeding the government’s advice to stay at home. For the fit and healthy amongst us, last summer and autumn provided a welcome break from lockdown, but for those who were shielding, didn’t have a reason or didn’t feel safe to leave their homes, it has been a long twelve months of isolation from friends, neighbours and in many cases family. This extended period of isolation has also caused many practical problems as people have had to rely on neighbours, paid helpers and sometimes strangers who have stepped forward or been called upon to help with shopping, paying bills, collecting prescriptions and other day-to-day tasks.
Whilst this has led to new friendships and community connections for many, there is concern that this reliance on others has led to a growing number of cases of both overt and more subtle forms of financial abuse.
What is financial abuse
Financial abuse can take many forms but ranges from deliberate financial scams such as phishing and doorstep crime to more minor and unintended abuse such as an unscrupulous “helper” using an elderly person’s bank card to pay for their own shopping whilst buying essential supplies for the card’s owner. As the more vulnerable in society are not going to the bank or a cashpoint on a regular basis, it can be a long time before they notice that their account has been used or they may not notice at all.
The scale of Covid-related financial abuse is not yet, and may never be, fully known but there is anecdotal evidence that such scams and schemes are increasing. In particular at Winckworth Sherwood we have begun to receive troubling reports from family members of large sums of money having been taken from their loved ones’ bank accounts, that relatives have been coerced into signing important legal documents and even that they have changed their Wills in favour of individuals that they have only recently met.
Using a Lasting Power of Attorney to prevent financial abus
For those concerned that a loved one may be at risk of financial abuse, we strongly recommend putting Lasting Powers of Attorney (“LPAs”) in place, and in particular an LPA for Property and Financial Affairs. This LPA allows the person making the document (the “donor”) to appoint a trusted person or persons to act as their attorney, who can then manage their bank accounts and sign financial documents on their behalf when they are physically unable to do so and also if they were to lose the mental capacity to make financial decisions themselves. Attorneys have a duty under the LPA to always act in the best interests of the donor and if they do not do so, they may be investigated by the Office of the Public Guardian (the “OPG”). While the donor has capacity to make financial decisions, the attorney must involve them in each decision and take their wishes into account.
Where shielding and repeated lockdowns are keeping many people at home, a Property and Financial Affairs LPA allows attorneys to monitor and manage bank accounts, organise and pay for online shopping, pay for cleaners and carers, reimburse neighbours who have helped out, and pay bills on the donor’s behalf. It also allows attorneys to keep an eye out for targeted financial abuse as they can monitor bank accounts and look out for unusual payments or withdrawals of unexpectedly large sums.
It takes a few months to complete the formalities of making an LPA, but there are short term measures such as a general power of attorney that can be put in place while the LPA is being registered. We suggest this is discussed with your solicitor when you make your LPA.
The attorney’s role during lockdow
The last year has also created challenges for attorneys acting under LPAs, particularly if the attorney lives at a distance from the donor or if the attorney has also been shielding. The OPG has issued guidance to attorneys reminding them that their role and responsibilities remain the same during the pandemic and that an attorney is not permitted to temporarily step down during lockdowns and then step back into the role at a later date. The OPG has also made it clear that in discharging their duties under an LPA, attorneys must follow government guidance on social distancing and self-isolation and must observe any national and local lockdown rules.
Our advice to attorneys throughout the pandemic has been to:
∙ Keep involving the donor in decisions that you make and keep at the forefront of your mind that every decision must be in the donor’s best interests.
∙ Keep in regular contact with the donor and see where you can help. If you cannot visit in person, have regular phone and/or video calls and consider asking a care worker to pass on messages and keep you up-to-date. Try to obtain contact details for the donor’s neighbours and local friends, who you can call on to help, or to check in with the donor if you are unable to make contact.
∙ If the donor is happy for you to do so, register the LPA at their bank so you can pay bills and keep an eye on payments in and out. If the donor is worried about bills sitting unpaid, register the LPA with the utility companies so that bills go directly to the attorney.
∙ If you need to talk to the donor about a specific decision, think about how urgent it is and whether the decision could be delayed. If it is urgent and you cannot discuss it with the donor remotely, think about decisions and written statements the person has made in the past.
∙ Although an attorney cannot ask a third party to make decisions for them, once a decision has been made, you can ask someone to help with the task in question. For example, you can ask the donor’s neighbour to buy food for the donor and provide you with a copy of the receipt.
∙ Ensure any care visits, property repairs etc. that either you or the donor arrange are formally documented, that prices are agreed beforehand, and that you check credentials and take up references for anyone visiting the donor’s home. Remember that if a decision relates to the donor’s living arrangements or daily routine and care, then you must discuss this with the donor’s Health and Welfare attorney, if they have one.
If you suspect undue influence or financial abus
As the year has gone on and the initial neighbourly offers of help have dwindled, we are hearing that many vulnerable people have had to turn to strangers to help instead. This is a worrying trend as it allows fraudsters and unscrupulous new friends to exert influence on the elderly and vulnerable and put pressure on them to make poor decisions, give away control of their finances, or even give away money and assets.
Remember that not all strangers have bad intentions and that not all financial abuse is deliberate, so attorneys should be careful not to jump to conclusions. Our advice is to keep in regular contact with the donor to ensure you find out about any new acquaintances and so that you can stay alert to possible abuse. Red flags range from changes in spending habits, notices that bills have not been paid and unexplained transfers or withdrawals from bank accounts to less obvious signs such as a change in the donor’s behaviour. These more subtle warning signs include the donor becoming secretive with you and others in their close circle, a seeming reluctance to spend money even on everyday supplies and an uncharacteristic lack of confidence in their abilities to deal with paperwork and carry out day-to-day tasks.
If the donor has made a decision that you feel is unwise, for example if you discover they have given away property or changed their Will, get as much information as you can about what has happened and who was involved. If you think the donor has been coerced into making the decision or you are worried that they did not have the capacity to have made that decision, attorneys can use their power under the LPA to instruct a solicitor on the donor’s behalf. A solicitor can arrange for a mental capacity specialist to visit the donor to talk through the decision they made and, if issues are discovered quickly enough, they may be able to intervene before any property has been formally transferred. If fraud has already taken place or money or property has been given away, you should report the incident to the police. The police alongside your solicitor can then advise on any steps that could be taken to recover those assets.
Sunak gives British economy a boost to see out COVID crisis, tax rises ahead
By David Milliken, William Schomberg and Andy Bruce LONDON (Reuters) – Finance minister Rishi Sunak gave more aid to Britain’s...
Banks, homebuilders shine as British shares rally on budget boost
By Devik Jain and Shivani Kumaresan (Reuters) – British shares rose on Wednesday, buoyed by gains in financial, leisure and...
Volkswagen CEO tweets, Musk-style, on market-cap milestone
By Thyagaraju Adinarayan and Christoph Steitz LONDON/FRANKFURT (Reuters) – When the market value of Germany’s Volkswagen briefly rose above the...
UK to hike corporation tax to 25% in first rise since 1970s
By Guy Faulconbridge and Paul Sandle LONDON (Reuters) – Britain will raise its corporation tax on big companies to 25%...
Oil gains as U.S. fuel stocks drop, OPEC+ considers deal rollover
By Stephanie Kelly NEW YORK (Reuters) – Oil prices rose more than 2% on Wednesday, boosted by a huge drop...