ALERT: If you use a gateway or virtual terminal for payment processing --- Pay Special Attention (Remember, most integrated POS systems connect to a gateway).
EMV in the US has made life only slightly more difficult on fraudsters, finding the new security too cumbersome to overtake. So instead of wasting time hacking POS systems, hackers have taken to bypassing them altogether and focusing their criminal efforts on hijacking merchant Gateway accounts. They are accomplishing this simply by "acquiring" Gateway API credentials and Gateway user credentials, and are finding merchants to be ideal prey.
The scam works as follows: Hackers obtain a merchant's API or user credentials for their payment gateway, usually by very basic means (phishing attacks, etc). They then run credits on prepaid cards under their control and withdraw money at ATM machines. They typically run 50+ credits to these cards, and often run sales on stolen cards, or even do reference transactions on existing cards in the gateway to ensure that accounting is in sync. The merchant only finds out when they see the chargebacks start rolling in on the stolen cards.
The best defense against this is simple... make sure you have a strong password policy:
- Stronger passwords
Weak user name and password combinations are still one of the leading causes of hacker success. Almost 75% of people use the same exact password for multiple accounts, and an even larger percentage of those have not changed that duplicate password in over five years. So it should come as no surprise that roughly 40% of people have had an online account hacked, a password stolen, or were notified their personal information has been compromised in the past year.
- Storing passwords (don’t store in central location)
If a hacker can gain access to a physical device where you have all your passwords stored in one location, then it's basically game over. There are numerous solutions available today if you can't remember complex passwords, such as applications on your phone. However, one of the best and most effective methods? Many experts still believe in writing it on a piece of paper and storing the password in your wallet.
- Sharing passwords
The more people that know your password, the more likely it is to get compromised. Even if you employ sound password policies, who's to know that your co-workers adhere to the same levels of security. It only takes one person to send a password via email to jeopardize your security. Plus, sharing passwords violates Payment Card Industry Compliance (PCI Compliance).
Processors are starting to review suspicious refunds in an attempt to thwart these attacks. Unreferenced refunds are a warning sign with payment processors. So please do not be alarmed when your payment processor reaches out to you to verify refunds or credits that do not have a previous purchase attached to it. But our advice is, don't wait for the phone call alerting you to suspicious activity. Take the steps necessary now to prevent an attack and ensure your user credentials are secure and unique for your gateway account, as well as any Gateway API's.