Visa Alert on Weak Credentials

An October 28, 2010 Visa Alert released today says criminals are exploiting weak credentials. They attack the weak credentials in order to breach merchant accounts and issue thousands of dollars of credit to debit cards.

Although no merchandise is sold, credit for a sale transaction will be applied to a foreign debit card. The criminals also sometimes are clever enough to also issue a false sale transaction to balance the amount and obscure the breach.

Visa gives the following recommendations:

To prevent fraudulent credits from entering the payment card system, Visa recommends that acquirers and processors review their credit transaction monitoring rules. Issuers should monitor clients’ credit and debit card accounts for unusual credits without a matching debit transaction.

In addition, these precautions may also be taken:

  • Protect online credentials and use strong authentication to access online accounts.
  • Alert merchants to phishing, voice phishing (vishing) and other social engineering schemes that target merchant credentials.
  • Monitor accounts for unusual credits (particularly those with no original offsetting debit, or with the credit going to a different payment card account).
  • Identify exceptions to average sales in real time; decline (or hold for investigation) return transactions that exceed normal thresholds.
  • Confirm that incoming transaction data matches existing merchant name, terminal ID, acquirer bank identification number (BIN), and source of communication.
  • Match return and credit transactions to corresponding sales by account; decline or investigate mismatches.
  • Conduct real-time velocity monitoring of return and credit transactions by account or by single merchant.
  • Require merchants to report lost or stolen point-of-sale (POS) terminals; block all transactions from these terminals.
  • Allow only trusted IP filtering connections to access online web portals.
  • Immediately report suspected fraudulent credit schemes to the issuing bank that is receiving the credit; the issuing bank may agree to hold funds to prevent fraud loss and/or conduct velocity monitoring of return transactions by merchant location in real time.
  • Report suspected fraudulent credit schemes to the appropriate law enforcement or regulatory agency and to Visa Fraud Control at USFraudControl@visa.com (from the Visa U.S. or Canada regions) or Visa Payment System Risk at LACRMAC@visa.com (from the Visa Latin America and Caribbean region).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.