Category Archives: Finance

Are You Still Safe?

Heartbleed

Heartbleed

As if the Target credit card breach four months ago was not enough, we now have another personal data breach to worry about. On Monday, April 7, 2014, an announcement was made that websites using certain versions of OpenSSL cryptographic encryption protocols had a memory handling bug that could be exploited to reveal personal user information, including user names, e-mails, passwords and potentially much, much more. This vulnerability was published on December 31, 2011 and has been used by countless sites for well over two years.

What’s the risk? It’s a hard question to answer. Potentially the bug was not exploited or a particular individual’s data was never directly compromised, so no harm was done. Alternatively, some individual account passwords may have been compromised and someone out there has a list of user names and passwords and can, at their leisure, log into other people’s accounts and access more of their personal information, impersonate them or even access financial or medical records! Overall the risk is probably low, but if you’re the one with compromised information … it’s a lottery you probably don’t want to win.

So what do you need to do? The easy solution is to prevent potential access to your accounts. You can do this very simply by changing your password. The good news is that not all sites have been impacted by this bug, but a lot have and some are very big and popular and could potentially be very harmful. Both Wikipedia and Mashable have published detailed information about the Heartbleed vulnerability and also listed the largest sites that are (and are not) affected. Visit these sites and see where you need to change your password and please do this as soon as you can!

We do have some good news for you. a Snaggy diMe does not use OpenSSL, so we are not vulnerable to Heartbleed. And our payment processor, PayPal, has posted an announcement that they are not subject to this vulnerability either. But we do urge you to check your other service providers and see if you are impacted by Heartbleed.

Credit Cards, part 5 – The History of the Card

Bellamy from Wikimedia Commons

Bellamy from Wikimedia Commons

In the process of conducting research for this series of blogs, we learned a lot of credit card trivia. We wanted to share this “trivial” information with you so you can astound your friends when someone whips out plastic to pay for a purchase.

It was Edward Bellamy’s utopian novel Looking Backward, published in 1887, that first presented the concept of credit cards. In the book the cards were used to represent currency (dividend) owed the citizens by the government.

In the late 1800s and early 1900s many large companies offered some sort of credit to their established customers. Customers could make a purchase and be charged for it later, but this left each company with the burden of managing their own credit ledger and the risk of vetting the customers it would extend credit to. Many industries jumped in on this practice and some had cards that were accepted by multiple merchants. Retail, dining and air travel were among the pioneering industries in this area.

In 1950 Diners Club rolled out a charge card that was more globally accepted and in 1958 this concept was further built upon by American Express. Both companies offered consumers the ability to charge a purchase, but the condition of the transaction was that the bill must be paid in full at the end of the month, making these charge cards, not credit cards.

In 1958 Bank of America rolled out the BankAmericard in California. This was the first card that truly embraced the concept of revolving credit where customers could pay off a purchase over time, so long as they were willing to pay interest. In 1966 several banks joined together to form Master Charge, the country’s second true credit card.

Industry pioneer Diners Club International did not have the clout of the companies that it competed against. While the Diners Card was an early adaptor and an industry leader, it was quickly trampled by American Express, Visa and MasterCard. In 1981 the Diners Club brand was sold to Citibank and in 2008 Citigroup sold the business to Discover Financial Services, which in 2011 converted all Diners Club Cards to the Discover brand.

Credit Cards

Credit Cards

American Express is by far the oldest of the modern credit card companies. It was founded in 1850 by the same individuals who formed Wells Fargo. In fact, Wells Fargo was formed because not all of the share holders in American Express wanted to expand to California because in the 1850s there was no reliable way to get there. Thus the symbol of Wells Fargo is the stagecoach.

The Visa card has its roots going back to the Bank of Italy, which opened in San Francisco in 1904. Through acquisitions and mergers, Bank of Italy evolved into Bank of America and issued the BankAmericard to 60,000 customers in Fresno, CA in 1958. The BankAmericard program grew quickly and Bank of America licensed the card program to other banks. By 1970 the program was so large that Bank of America gave up direct control of the card in favor of creating National BankAmericard, Inc to manage the credit card platform. Even though the program had significant international reach, many foreign banks were reluctant to offer a “Bank of America” card to their customers and in 1975 the BankAmericard was rebranded to Visa.

In 1966 United California Bank (later known as the First Interstate Bank), Wells Fargo, Crocker National Bank and Bank of California formed the Master Charge alliance. In 1979 Master Charge was rebranded to MasterCard. Both Visa and MasterCard became independent companies, separate from the control of the banks that created them, in 2006.

The Discover Card is the youngest of the credit card giants. It was created in 1985 by Sears, which had been around since 1893. In the early 1980s Sears was America’s largest retailer. In addition to its brick and mortar retail business and the catalog business, Sears also owned insurance companies, brokerages and banks. The Discover Card was created as a credit card for America’s largest store. Overnight it was accepted at thousands of locations. It carried no annual fee, which was very uncommon at the time, and rewarded the consumers with a Cashback Bonus. To integrate itself further into the consumer landscape, Sears made the card available to any merchant who wanted to accept it with fees significantly lower than those of Visa and MasterCard. Still, there was resistance in the market as other retailers believed that accepting the Discover Card would serve only to help their direct competitor and in 1993 Sears was forced to spin off its financial division to give up direct control over the Discover Card.

Early on the individual charge and credit card programs issued card numbers to their customers starting with the number 1 and counting up. Consolidation in the industry created conflicts and card numbers evolved over the decades. Today’s credit card numbers are subject to the standards set by the American National Standards Institute. They are generally 13, 15 or 16 digits in length, although the actual recent historical range is from 12 to 19 digits. The first six digits are called the “Issuer Identification Number” and can be used to reference the financial institution that issued the card. The rest of the number is generated by the issuer to uniquely identify the card holder. A savvy card owner will know that all American Express cards start with the number “3”, all Visas start with a “4”, all MasterCards start with a “5” and all Discover Cards start with a “6”.

Additionally, all of these financial institutions rely on the Luhn Algorithm to validate their card numbers. Before the electronic revolution which enabled instant verification and validation of the account and before the “knuckleduster” slides that created a card imprint, all paperwork was done by hand. It wasn’t uncommon for a clerk to transpose or drop numbers as they scribbled information out in a hurry. The Lunh Algorithm was used to validate that the number written down is a potential card number, not a mistake or a fraudulent entry. The Luhn test was developed in 1954 by IBM scientist Hans Peter Luhn. It would allow a quick calculation against the card number and the checksum from that calculation had to match the last digit in the account. At the time this was the easiest way to validate that the number given was a potentially real account number, instead of a made up one.

So now you know the history of credit cards and together with a better understanding of what happened at Target and how your payments are processed at a Snaggy diMe, we hope that you will continue to trust the credit card system. Our greatest mission is to retain your trust, so that you continue to do business with us and as a part of this mission, we will continue to work closely with our partners to keep your financial information safe.

Credit Cards, part 4 – walla.by

Wallaby Card by Wallaby Financial

Wallaby Card by Wallaby Financial

Last year a new customer visited us at a show and when his purchases were rung up, he pulled out his smart phone and started typing. We can actually take a smart phone PayPal transaction in person without touching a credit card, so this wasn’t a big surprise, but what he did next, came as a bit of shock. You see, he was using his smart phone to select which card he was going to use to pay for his purchase, not because all of the cards were maxed out and he needed to figure out where to squeeze in a few more bucks. No. He was using an app on his smart phone to determine which card gave him the best deal to make the purchase. No kidding.  It’s all about the rewards.

This is one of those times when you have to stop and interview your customer to understand what’s going on.

He was using a service called walla.by by Wallaby Financial. A lot of us use credit cards that offer rewards. Some consumers select airline miles as a reward, others get gift cards and still others will get cash back. To make things more complicated, the reward deals change. As an example, this month Discover may give you 5% cash back on gasoline purchases and next month it will be 3% back at restaurants. At the same time Chase Freedom may offer 3% rewards at grocery stores this month and switch to 3% at movie theaters next month. If you have a handful of cards, like most Americans, keeping track of which vendor is offering a special reward for a particular class of purchases may become a significant burden very quickly. That’s where Wallaby comes in. Their tools help consumers identify and optimize the rewards already available to them. You shop anyway. Why not get the most out of your purchases?

The walla.by app is available for both Android and the iPhone to take shopping along with you, so that you can select the best card to use at the register. The download and the service itself are absolutely free and the following short video explain more about how walla.by works:

Wallaby Financial is also indicating that they will be coming out with a Wallaby Card, the one card to rule them all. All of your registered credit cards and reward programs will be linked to your one Wallaby Card, which you will be able to use at any retailer and Wallaby’s smart algorithm will determine which of the cards to place the purchase on. It’s a nifty idea and we all love getting the biggest bang for our buck.

Disclaimer: We have no formal relationship with Wallaby Financial. This is just a great idea that we wanted to share with our own customers.

Credit Cards, part 3 – Things You Should Do

Credit Card Thief by Brandon Holgersen/Wikimedia Commons

Credit Card Thief by Brandon Holgersen/Wikimedia Commons

Today we want to pass on some wisdom that many banks and credit card agencies offer. It’s easy to take the power of a credit card for granted. You swipe it, the bill is paid, you move on. It’s a system designed for convenience. The problem with it is that this power is identical if your card is wielded in your hand or in someone else’s. Something is purchased and you get the bill. But if someone else swiped the card, all you get is the consolation prize of receiving the bill. To keep your financial information safe, there are a few easy steps that you can take.

  • If your credit card provider offers the option of adding your photograph to the card, take it. It will be very hard for a thief to use this card in person.
  • Only give your card number out over the phone if you initiated the call. This goes for all your personal information. Your bank already has you card number. They don’t need you to repeat it when they call you.
  • Never write down your PIN or CVV. Anywhere. They are small numbers and need to be remembered.
  • Save your receipts, at least until after the credit card bill comes in. And always check to make sure that you were charged the amount you had agreed to pay.
  • Carry only the cards you need. You may need one or two or maybe even three. Odds are that you will not need all 18 of your cards when you go grocery shopping.
  • Some security consultants advocate not signing the back of the card, but writing “see ID” in the signature line. Have your driver’s license ready to match the picture to the name. It forces a secondary verification that the card is really yours.
  • Don’t lend your credit cards to anyone any more than you would give them your driver’s license or social security card. This is information personal only to you. Legally it can not be used by anyone other than you.
  • Have a list of your cards with their account numbers and issuing bank phone numbers in a safe place. If your card is lost or stolen, call to report it right away!
  • When shopping on-line, always look for the green lock on the browser address bar before entering your personal information. The closed green lock (which you can click on) verifies that the site is legitimate and is secured using SSL 3.0 encryption. If you see an open red lock, RUN!
  • When using an ATM, use your other hand to cover the hand entering your PIN. It’s a short number and it can cause a lot of grief if it falls into the wrong hands.
  • If you’re trying to decide between a credit card and a debit card, please remember that in fraudulent transactions your liability limit with a credit card will not exceed $50. With a debit card that liability limit is the size of your bank account.
  • It’s a good idea not to let your credit card out of your site during a transaction. It’s very easy to duplicate the track data from the magnetic strip on the back – it just takes one swipe!

Smart security practices will help you avoid identity theft issues. It’s still up to the merchants you deal with to keep your information secure on their end. As Target recently demonstrated, even those who we think we can trust sometimes fail. Nothing will ever be 100% safe, but good practices on your side can help make your financial information a lot safer.

Credit Cards, part 2 – PayPal’s Security

PayPal by Sagar Savla/Wikimedia Commons

PayPal by Sagar Savla/Wikimedia Commons

In our blog yesterday we talked about the security breach at Target that resulted in the release of 110 million credit card accounts. It’s probably safe to say that a good number of these accounts will be duplicates, but in spite of that, the idea that what could be as much as 40% of American shoppers losing control over their credit accounts, is simply terrifying. We shop at Target and you probably do, too. A lot of Americans have a Target store just a short drive away from them.

The reason we decided to write this multi-part blog is to respond to the questions several of our customers had about the safety of financial transactions with our store.

It should not be a big secret or a surprise that our credit card vendor is PayPal. PayPal formed in 1998 and had an immediate success as an on-line credit card payment processor. It very quickly captured a large part of the eBay transaction market and in 2002 eBay chose to acquire PayPal in order to capture additional revenue from the transactions on their own website.

PayPal has been nothing short of a blockbuster phenomenon. In 2012, the latest year for which records have been published, PayPal’s payment volume processing was a staggering $145 billion, almost $4,600 transacted every second! That’s a lot of money flying through cyberspace. How do they keep it safe? To get an answer to this, we sat down with the PayPal Customer Solutions team.

The first step here to explain how our transactions happen. The majority of our transactions happen on-line. Customers come to our website, select the items they want and when they are ready to pay, the shopping cart is sent to PayPal. Then the payment is between the customer and PayPal. When the transaction is completed, PayPal returns to us an indication that the contents of the cart have been paid for and gives us an address to ship the purchase to. The money is kept on account at PayPal, which also serves as a bank. Other than a name, an e-mail and a shipping address, we receive no personal or financial information regarding our customers.

The other way we process payments is in person. When a customer hands over a credit card, it is run through a reader which uses a Virtual Private Network to send the information to PayPal. The VPN is hosted by Verizon when we are traveling and Comcast when we are at home. A Virtual Private Network is an encrypted “tunnel” that uses digital encryption, making security tougher than guessing the numbers for this weekend’s PowerBall.

Once a connection with PayPal’s computers is established, an additional 128-bit security key is used to create a Secure Socket Layer, creating a security envelope within the original secure tunnel. If you are making a payment from your own computer, PayPal will check to make sure that your browser is capable of SSL 3.0 or better encryption before allowing the transaction to occur. Older browsers are not allowed to send financial information.

No matter which way you go, a Snaggy diMe does not store your financial information. Most of the time we don’t even see it or know which method you chose to pay. Credit cards, debit cards and electronic checks all look the same to us. All of this information is managed behind the scenes by PayPal.

PayPal’s servers sit in a secure facility which is guarded both physically and electronically. The machines themselves sit behind a series of firewall servers, effectively keeping them off the internet with no possibility of direct internet access. Additionally, PayPal uses a host of scanning algorithms that are constantly evaluating and testing their network. And there are specially designed anti-fraud algorithms, similar to those used by credit card companies, working to identify transaction risks. If there are any concerns, PayPal’s account specialists will place a call to the initiator of the transaction to confirm that they did indeed authorize the payment.

We spent a long time looking at on-line payment options in 2005 and we are happy to say that after this additional research, we remain very comfortable with the vendor that we selected. Tomorrow we will continue this series by talking about basic credit card safety.

Credit Cards, part 1 – Safe, Like Target

Target by Jay Reed/Wikimedia Commons

Target by Jay Reed/Wikimedia Commons

In the last few weeks we received several queries about credit card security, in the wake of the recent Target data breach and wanted to take this opportunity to talk about what happened, how our credit card processing is different and about credit card safety in general.  Today we will start with what happened at Target this past holiday shopping season.

It should be no big secret now that Target, one of the biggest box store retailers in the United States, suffered a data breach, which is now ranked as the second largest in the United States history.

On December 19, 2013, Target issued a press release confirming the December 18 announcement by security expert Brian Krebs that they lost some 40 million credit card and debit card numbers in an unspecified security breach.  The breach took place between November 27 and December 15 and included the loss of customer names, card expiration dates and the CVV security codes.  On December 27 Target added customer PIN numbers to the data that was compromised and on January 10, 2014 the store added 70 million more cards to the tally, raising the breach to include 110 million customers, second only to the 2009 Heartland Payment Systems breach, which included 130 million cards.

Consumers scrambled to cancel or change their account numbers.  Some banks took extreme measures and limited how much money customers could access.  Nothing raises ire more than good customers being told their card is being denied when they know that their accounts are in good standing.

So what actually happened that caused Target to drop the ball and lose so much data?  This is hard to say.  Target only indicated that their security experts are working with law enforcement, including the United States Secret Service, to identify the hackers responsible for the breach.

Leaks from security consultants indicate that an unknown hacker – or group of hackers – penetrated two Target computer systems and siphoned off the data until the breach was discovered on December 15 and the “hole” was sealed.

Target initially indicated that only “track data” information, the information encoded on the magnetic stripe of the card, was stolen.  The magnetic stripe CVV code is different from the CVV code on the back of the card, which would prevent the thieves from being able to shop remotely, but if the data is burned onto new cards, the cards can be swiped to process transactions.

Later Target admitted that PINs were also stolen, meaning that the breach must have happened at the Target point-of-sale system where customers enter their PINs.  On January 12 Target’s CEO, Gregg Steinhafel said in an interview that malware was discovered in the point-of-sale terminals and that it was able to hijack the credit card information as it came in.

The ability for someone to access your financial accounts can be a scary thing.  A lot of people will spend a long time watching their credit and Target will take a very long time to overcome the stigma of this breach.  In tomorrow’s blog we’ll talk about how a Snaggy diMe uses your credit card, debit card and checking account numbers and what makes us different from the weakness identified in Target’s financial system.