5 WAYS TO BE SURE YOUR GIFT CARD ISN’T HACKED

When holiday shopping, or shopping for really any gift during the year, when you find the perfect gift, it can be so elating. As delightful as it sounds to find and give the perfect gift, the National Retail Federation reports that more than 60% of consumers would rather you gave them a gift card.1 And nowadays you can find racks and racks in retailers ranging from megastores to minimarkets, as well as online sites catering specifically to this style of streamlined gift-giving. It’s all so easy, right?

Most of the time, everything runs smoothly, but exceptions are edging into public awareness. Retailers from Starbucks2 to Nordstrom3 have had their cards hacked, with fraudsters exploiting any weak link in the chain of purchase. The end result is awkwardness at checkout when the pre-scammed recipient innocently attempts to pay with the card, the possibility that the hack could drain funds beyond the reach of the amount placed on the card, and a potentially drawn-out shuffle in acceptance of retail responsibility. But all of it is avoidable. There are ways to prevent the potential of fraud before a penny is placed on the plastic.

Current scam tactics range from those used by skilled criminals, to simple tricks at the point of sale. But a little knowledge is insurance against risky purchases.

  1. Skimming

A fraudster takes a gift card off the rack and uses an electronic reader (aka skimmer) to read all the data, go home and make a counterfeit card. The perpetrator then waits for that particular card to be loaded in the store, then uses the fake card to make purchases. It’s estimated that 13% of gift card fraud is due to counterfeit or skimmed cards.4 Alternately, they could steal cards, do the reading at home, and then return the stack of cards as if they were as fresh as the day they were delivered, or simply write down serial numbers while hanging out in the aisles.

How does the scammer then know which gift cards have been charged up? Every few days he simply calls the gift card phone number and enters the card’s unique numbers to find out if money has been added, and the remaining balances.5 What makes it easy is that most of these systems do not have second level security– in other words: no password is required.

How to avoid it:

Purchase cards kept in locked cases without access to the public. Purchase in the retail store or on the secure website of the retailer that issues the gift card.

  1. Stickers –

Most gift cards that are displayed on sales racks are just blank cards. A dollar value is added to the card upon card activation during purchase. In this scheme, a thief steals an inactive gift card and duplicates its barcode on a sticker. He then applies the sticker over the genuine barcode of another gift card in the store and waits for an unsuspecting customer to buy the altered card. When the sticker containing the barcode of the stolen gift card is scanned, it activates the previously stolen card instead of the gift card that the customer is buying.6

How to avoid it:

Carefully examine the gift card before purchasing. Check that the sticker looks the same as those you are accustomed to seeing on credit and other account cards. If there is a PIN number, make sure that it is not visible. Don’t purchase any card that appears to have been tampered with.

  1. Switched at Checkout –

This gift card scam only works when a store employee is part of the plan. As the customer hands a gift card to the cashier for activation, the cashier activates a different card and hands the original back to the customer. (Or the opposite is true. The cashier activates the first card, but hands an inactive card to the customer.) In either case, the cashier racks up activated gift cards while handing out blanks.7

How to avoid it:

Keep your eye on the gift card at all times and ask to have it handed back to you as soon as the card is activated. Check the gift card number listed on the activation receipt to ensure it matches the number on the card you just received. If the employee acts distracted or tries to distract you during gift card activation, it could be a scam.8

  1. Shutdown of Register –

An employee rings up a gift card and activates it at the point of purchase. Before tendering the transaction, they unplug or conduct a hard shutdown of the register. In this instance the gift card most likely did not activate, and the transaction may not even have been recorded.9

How to avoid it:

Stay alert to the steps the cashier is taking while ringing up the card. If you notice the register being shut down, request your method of payment be handed back to you, and that any sale be immediately canceled.

  1. Sketchy Auction Sites –

Cheap/discounted gift cards available from online auction sites may be stolen, counterfeit, or credit from returns for stolen merchandise.10 While all gift cards on these sites will be offered at some discount, with 10% less than the value of the card being common11, be wary of deeper deductions on these e-gift cards and physical gift cards.

How to avoid it:

If you are purchasing online, be sure the site is secure and look out for discounts too good to be believed, or buy directly from the retailer issuing the card.

In addition to the pointers above, it is important to realize how thieves can easily convert the value of a gift card into money or merchandise. If an account is hacked and the card’s auto-load feature is turned on, the fraudsters can quickly drain the attached bank account.12

Additional steps to take whenever you invest in a gift card:

  • Ask the cashier to scan the gift card in front of you. This will guarantee that your card is valid when you buy it, and that it reflects the balance you just charged it with.
  • Keep your receipt as proof of purchase as long as there is money stored on the gift card. Many retailers can track where the gift card was purchased, activated and used. If the card is stolen, some retailers will replace the card so long as you present a receipt.
  • Register the gift card on the store’s website. Although not all stores offer this option, if it is available, you will be able to uncover any misuse of your gift card sooner and quickly report it.
  • Never give your personal information, such as Social Security number, Date of Birth, or any other unneeded private information, when purchasing a gift card. No reputable company will ask for this.13

By all means, don’t give up on gift cards. By taking these precautions, you’ll be able to sidestep the scams, and give or receive a gift without concern.

 

 

 

IMPROVE YOUR BOTTOM LINE THROUGH STANDARDIZED EQUIPMENT

In 2017,  the only thing financial analysts can agree upon, is that this year will hold unprecedented changes. Monumental policy shifts, new operating models, accelerated digitization and emerging technologies are just the tip of the banking iceberg. With so many unknowns looming in the future, many banks and credit unions are taking a fresh look at the internal areas that they can control. By standardizing their security equipment across all branch locations financial institutions are realizing cost savings and enhanced efficiencies.

 

According to SNL Financial, there are approximately 93,000 bank branches in the U.S. Each of these locations possess complex security systems ranging from basic door access to optimized surveillance cameras. Traditionally, new bank branches have been established in response to market demands and competitive forces. Often, additional facilities install the equipment and security systems most recommended at the time. As more and more branches are added, however, there is less and less equipment uniformity across the company. Such inconsistency can lead to lost productivity, reduced security and employee frustration.

 

Financial Institutions Invest in Standardized Equipment

 

Major financial institutions are recognizing this reality and responding by upgrading their branch locations to take advantage of standardized efficiencies. Sallie Mae, one of the nation’s largest financial service providers, recently implemented a company-wide standardization upgrade. The Sallie Mae enterprise conversion involved 20 sites with existing access control systems, video surveillance and alarm panels. Hundreds of doors of access control and thousands of users were tied together through an integrated platform that coordinated all facility components through a central operational center.

 

Standardized Equipment Saves Money

In addition to streamlining internal processes, standardizing security equipment across all branch locations saves money. As opposed to troubleshooting issues at each unique location, a standardized system allows a single technician to identify an issue once and apply required maintenance cross-system. Standardized practices also allow managers to negotiate equipment contracts based upon bulk parts that work for all branches.

As security equipment becomes increasingly digitized and software-driven, standardized systems additionally provide for instantaneous upgrades, often from a remote location. Maintaining system consistency across all branches result in reduced costs associated with training personnel on different platforms.

 

Standardized Equipment Saves Time

In large, multi-building facilities, when a failure occurs, prompt action is required to maintain access and security. Even with the most basic security component, such as an entrance door, when facilities are not standardized, maintenance personnel must physically inspect the hardware, determine the component required, return to the stockroom, search for the replacement part, and hope it’s in stock. When all branch doors are standardized, there is no need to store multiple parts or train personnel on varying procedures. On more complex components, such as keypads or surveillance devices, the time savings is even more dramatic.

 

Standardized Equipment Enhances Security

The longer it takes to correct a security breach, whether it’s an offline camera or a malfunctioning door lock, the higher the risk for the financial institution. When all branch locations use the same equipment, monitoring and repairs are completed faster reducing the vulnerability of the bank or credit union. Many banks are making digital monitoring a part of their branch security standards. Software analysis of such advanced video offers proactive security strategies that helps avoid a breach before it happens.

 

Standardized Equipment Ensures Efficiency

In many regions, bank employees rotate among various branch locations. Without standardized equipment, employees must be retrained to navigate the security requirements of each facility. Lack of branch consistency creates staff frustration, reduces efficiency and can ultimately lead to lapses in security.

 

What Equipment Should be Standard Across Branches?

Although each bank and credit union utilizes unique equipment configurations, financial institutions should evaluate the following security components to determine consistency across branch locations:

  • Alarm and Access Control
  • Video surveillance systems (interior and exterior)
  • Drive-up equipment
  • Night Depository
  • Safe Deposit Boxes
  • Drive-through Equipment
  • Vaults, chests, safes and lockers

 

The year ahead is certain to bring change. One way to limit the effect of such challenges is by employing industry best practices and standardizing security equipment. Contact SPC to explore the efficiencies available through uniform security upgrades.

 

 

 

KEEP CALM AND MIND THE GAPS – HOW FINANCIAL INSTITUTIONS CAN STOP CYBER BREACHES

Mind the gap. If you’ve ever been to London, you probably know the gap you’re supposed to mind: it’s old school – you can drop right into it. If you’re a bank or credit union, the gaps you need to be minding aren’t as easily spotted. Searching for them is a bit like the quest for Pokemon – they exist where you didn’t think to look. Though unlike the essentially meaningless pursuit of Pokemon, the gaps in your financial institution’s security could cost its competitiveness if not tracked down.

Banks and credit unions are on high alert for signs of suspicious behavior on their networks; we know that. But the hackers know it too, and that isn’t going to stop them. To get to the money, cyber criminals are taking advantage of the areas where financial firms lack the insight to anticipate a vulnerability, with small and mid-sized firms at the greatest risk.1 Even the heavy-duty defense systems brought in by the big banks do not preclude them from security fissures. “Many financial institutions have not yet implemented proactive customer protection that focuses on root-cause prevention,” says Ross Hogan, global head of Kaspersky Lab’s fraud prevention division.2

For an institution to enjoy thriving longevity, cyber security must be at the core of its plan for sustained resilience. Beyond the hardened devices, encryption and protection surrounding systems, “an intelligence-focused approach will be required to create a comprehensive strategy. You cannot defend against what you do not know. True cyber security…is not simply purchasing the latest cyber security product. It requires a new mindset, as well as a new skill set.”3

Speaking at the Boston Fed’s 2016 Cybersecurity Conference in April, Counselor to the Secretary and Deputy Assistant Secretary for Financial Institutions, U.S. Treasury Anjan Mukherjee stated that banks and other financial institutions should adopt best practices “to reduce the probability of an event happening, and if it does, minimize the cost,”4 and counseled taking these steps:

 

  • Use the NIST (National Institute of Standards and Technology) framework. “It is not a technical document,” he said. “It is a powerful tool that provides a common lexicon to facilitate communication within organizations and with outside third parties.”
  • Know and catalog all vendors that have access to your systems and data.
  • Make sure those third parties have appropriate cyber security practices, and conduct ongoing monitoring of them to remain sure.
  • Join FS-ISAC (Financial Services Information Sharing and Analysis Center). “Be mindful of privacy, but this is a group with 7,000 members, and it leverages knowledge of threat indicators.”
  • Practice response and recovery, to contain and mitigate. “Have an internal team and coordinate with external teams. Have a playbook and exercise it regularly.”
  • Have backup plans and work-arounds to make critical payments and deliveries manually if necessary.5

At this same 2016 Cybersecurity Conference, Peter Kruger, a partner at high-tech venture capital firm In-Q-Tel, warned that “the human element remains the weakest link in the security chain, stating: ‘77% of intrusions are through email. That’s the attack surface.’ And described situations like an employee being offered $20,000 to place a malicious USB thumb drive into a system.”6

Bolstering the philosophy that all assets must be accounted for, and everyone must become alert and engaged, securityintelligence.com recently advised all organizations to “take and maintain inventories of all their assets on the network and…assess the risks that different classes of assets face. They should also ensure employees are adequately trained in security awareness since they are on the front line and can be helpful in spotting potential vulnerabilities before they become a major problem.”7

With digitalization racing to meet the ever-growing demand for constant, simplified access, a shift in focus toward accompanying deadlocked security is essential to combatting future vulnerabilities. Closing up the gaps is not a task of Herculean proportions. It will indeed take longer than the time between tube stations, but it ensures that your financial institution won’t find itself at the end of its line.

 

 

 

MOBILE – HOW IS IT A PART OF YOUR STRATEGY?

Experts like those at eMarketer have already been tracking the rise in the number of mobile-only users, and the numbers are expected to continue climbing. Therefore, it has become more important than ever for financial organizations to establish a mobile presence that works. Put simply, mobile users can no longer be ignored now that digital banking is the norm.

 

The Stats Behind Mobile Banking

 

According to FI Navigator and Celent, more than half of all financial institutions already have a mobile app. And according to the 2016 Consumers and Mobile Financial Services Report by the Federal Reserve, 53% of adults with bank accounts use mobile banking on their smartphones (this number went up from 52% the previous year).

 

Users typically check their recent transactions and account balances, but they also transfer money between their own accounts and receive alerts in the form of emails, push notifications, or text messages.

 

Why Mobile Strategy Is a Must

 

Millennials have now become the biggest generation, surpassing Baby Boomers, and 92% of them use their smartphone as their primary device. As a result, self-service and mobile technology is changing the way companies, including retail banks, do business.

 

Beyond being able to do their banking from anywhere, consumers are also looking for ways to blend in-branch and digital experiences, specifically with the help of self-service interactive technology at physical locations.  

 

Financial professionals can’t deny that their customers want the convenience of doing their banking from home and on the go. If you can create a user experience that’s engaging and intuitive, you can tap into this market, differentiate yourself from your competitors, and meet the demands of your customer base.   

 

Bringing Mobile Strategies to Life

 

To create a mobile experience that works for your customers, you need to focus on the ease of use of your banking app, keeping it simple and easy to access. But you also need a website that works on mobile devices and fills in any gaps that are found within your app.  

 

The ultimate goal of your mobile banking strategy should be to amplify your brand experience and give customers the ability to access better information more quickly, all while helping them improve their decision making. Most importantly, customers want to be able to manage their money more effectively.  

 

Establishing Your Marketing Flow

 

To make mobile part of your marketing plan for your bank or credit union:

 

  1. Identify your business goals. For many financial institutions, the goal will be to increase interactions with customers, as well as provide them with an innovative way to do their banking every day. In doing so, you’ll be able to provide something that your competition isn’t offering, and that will help increase your ROI.

 

  1. Identify your customers’ needs. To build a successful mobile strategy, you need to understand why individuals would want to use your app, and where they would use it most. For example, will they use it to pay their bills while on the train to work, or will they be checking their account balance while they’re out shopping?

 

  1. Design an app with customer preferences in mind. It isn’t enough to just build an app and launch it; you need to be sure your app functions flawlessly and has an interface that the average user will be able to navigate with ease. The best way to accomplish this is by hiring qualified app designers who will take your market research into consideration and build a fast app that represents your brand and keeps customers engaged.

 

  1. Measure and make adjustments. After launching your mobile app, it’s time to measure the results, gain feedback from users, and make adjustments to serve their needs, particularly as those needs and expectations change over time. Updating your mobile app will be an ongoing process helped by analytics and the consistent collection of data on customer behavior.

 

Mobile strategies are no longer an option; they are a necessity. Failing to meet consumer demands, particularly in the area of mobile banking, will inevitably cause you to fall behind. If you need help with your mobile marketing strategy, including custom app development, contact us for a free consultation or to learn more.

 

 

 

WHAT YOU DON’T KNOW CAN HURT YOU: THE IMPORTANCE OF A SECURITY AUDIT

Earlier this year the FFIEC updated their Information Security Booklet that helps institutions like banks and credit unions develop a risk-based security program. Featured prominently in their best-practice guidelines are risk identification, threat identification and identifying incidents. Clearly, there is an emphasis on identifying potential threats before they happen. That’s exactly what a security audit does and why regular security audits are critical to a financial institution’s well being.

 

Ensure Compliance

The financial sector is one of the most highly regulated industries in the U.S. Ever-expanding FDIC and NCUA rules governing security measures can pose an overwhelming challenge to many banks. Conducting a regular security audit can help ensure regulatory compliance and avoid potential heavy penalties.

 

Secure Data

Some banks have given so much attention to minimizing high-tech data breaches that they’ve overlooked many of the low-brow data threats that exist in their physical environments. Consider, for example, the potential data loss that occurs when an intruder pockets a company USB drive, takes pictures of an unattended computer screen, or physically plants a malware-laden drive on a bank officer’s desk. Such scenarios can be avoided when a proactive security audit has been deployed.

 

Protect Employees

Banking professionals would agree, their most valuable assets are their employees. Keeping them as safe as customer data and deposits is imperative. But just how to go about ensuring their safety can be a confusing proposition. In addition to automated locks and alarms, does your bank require all employees to present identification? Are employees work schedules and phone numbers able to be seen by customers? Does the parking lot have adequate lighting? The list of employee safety threats is long and makes up an important part of a comprehensive security audit.

 

Ensuring employee safety, securing financial data and avoiding regulatory fines are compelling reasons for conducting a security audit. But what exactly happens with an audit and who is best suited to conduct one?

 

Why is a Third-party Audit Valuable?

Think of your own home for a minute. Have you ever gone on an extended vacation and returned to “see” things that need attention that you didn’t notice before you left? Perhaps you recognize how badly the front door needs a fresh coat of paint or how much the deck needs to be stained. It’s a common occurrence. We become blind to that which we see everyday. That’s one of the initial reasons why a security audit performed by a third party is so valuable. Fresh, trained eyes can identify potential threats you may have been passing by every day.

 

Where Should a Security Audit Start?

Although there’s not a specific starting point, a comprehensive review should include both the exterior and the interior of the facility.

Outside audits evaluate:

  • Building and perimeter layout
  • Property typography
  • Rooftop access points
  • Number of building entrances
  • Efficient lighting
  • Physical barriers

Interior audits examine:

  • Monitored entrances
  • Visible employee identification
  • Alarm locations
  • Camera positions
  • Smoke and fire detection

And, that’s just for starters. Every security audit should be tailored to the facility design and employee size of each bank or credit union.

 

What Is the Invisible Security Audit?

It’s commonplace to consider door alarms and security cameras when investigating a bank’s security preparedness, but what about those unseen threats that lurk inside of ceilings or within equipment? These can be referred to as invisible security threats. A professional security audit will evaluate whether air ducts could be used for access, if facility glass is secure, and how efficiently components would operate in an actual emergency.

 

Could Employees be an Unintentional Security Threat?

No bank employee would intentionally be an accomplice to a crime, but they are often unknowing contributors to loss of data and assets. A comprehensive security audit will not just evaluate physical security threats, but human ones as well. Are employees in the habit of leaving doors propped open, ID badges unattended, or computer screens viewable? A security audit can identify lax office procedures and recommend processes that make the facility more secure for employees and customers alike.

 

When Is the Best Time to Conduct a Security Audit?

In addition to identifying the potential threats mentioned above, security audits create an inventory of all security devices, along with maintenance schedules and operating efficiencies. Conducting a thorough security audit is the first step to ensure a safe banking environment, and as such, should be performed sooner than later.

 

December is a good time to evaluate the past year and anticipate your bank’s security needs for the next 12 months. Security audits are often one of the most cost-effective measures that banks and credit unions can adopt. To learn more about the benefits of a comprehensive security audit, visit SPC.

 

SPC – helping bank and credit union professionals sleep better at night.