Bitcoin Could Have Prevented Small Business From Being Crushed By Chargebacks (#GotBitcoin?)
Fraudsters ran stolen bank cards through the firm’s payment system, leading to $27,000 in reversal charges; ‘I can’t bear to look at the costs. Bitcoin Could Have Prevented Small Business From Being Crushed By Chargebacks (#GotBitcoin?)
Small businesses are increasingly battling costly cyberattacks. Sometimes the pain is enough to put them out of business.
In January, cyber thieves ran roughly 100,000 stolen card numbers through the payment system of Innovative Higher Ed Consulting Inc., a two-person startup in New York. Soon after, Bank of America Merchant Services, the startup’s payment processor, sent a $27,000 bill for reversing the charges.
“We had alerted the bank that there was fraudulent activity,” said IHEC co-founder Jessie Daniels, a sociology professor who started the company as a sideline. “Instead of saying, ‘Thank you,’ they came after us.” The fledgling company had just $1,200 in revenue when it closed in May because of the cyberattack, she said.
Bank of America Merchant Services, a joint venture between Bank of America Corp. and First Data Corp. , said the company doesn’t discuss individual customers. A spokeswoman said the payment processor didn’t experience a data breach and its systems weren’t hacked.
It is up to business owners to activate security features that can prevent or limit such attacks, said a cybersecurity executive with Bank of America Merchant Services, speaking generally.
“Cars come with seat belts. They save lives. It’s up to you to click that in,” said the executive, Larry Brennan.
As larger companies harden their cyber defenses, small businesses are facing more attacks. Sixty-seven percent of small- and medium-size businesses reported they had experienced a cyberattack in the past 12 months, up from 55% in 2016, according to a 2018 survey of roughly 1,000 firms by the Ponemon Institute, a data-security research and consulting firm.
Even the smallest companies can be vulnerable. “It’s not unusual to hear that a small business in the formative stage has a relatively significant exposure,” said Larry Ponemon, the institute’s founder and chairman. “We have seen this time and time again.”
Some hacks target small businesses and startups for financial gain or intellectual property theft, while others use small firms as steppingstones to attack bigger companies, said Chandra McMahon, Verizon Communications Inc.’s chief information security officer. Small businesses accounted for 43% of the 2,013 confirmed data breaches Verizon analyzed in its latest data breach report, issued in May.
Ms. Daniels and Polly Thistlethwaite, a university librarian, launched IHEC in mid-2018 to teach academics how to get more attention for their research. They opened a business checking account at their Bank of America branch in the summer and soon after added a Bank of America Merchant Services Payeezy payment account, which lets firms accept card payments online.
In September, Bank of America Merchant Services sent Ms. Thistlethwaite a email with the subject line: “Have you activated your free fraud protection tools yet?” The email mentioned optional tools and filters, such as requiring customers to enter the security code on a card. “You must manually turn on and configure these features if you choose to use them,” it said.
IHEC’s owners say they didn’t turn on the security features because the payment system wasn’t yet linked to the company’s website, which was still under construction. In December, they processed their first transaction—for $200—sending a private link to the customer via email.
On Jan. 23, the IHEC owners said, fraudsters began running stolen card numbers through their Payeezy account, racking up $1 charges—a common tactic to test if the card numbers were still valid. Ms. Thistlethwaite said she received a phone message from Bank of America Merchant Services on Jan. 28, five days after the charges began, that said in part, “I have some information that I need to share with you.”
On Jan. 29, Ms. Daniels discovered IHEC’s bank balance had jumped to more than $4,700 from about $1,200. That same day, strangers began calling Ms. Thistlethwaite, whose phone number was connected to the account, about questionable $1 charges.
Mary Kathryn Johnson phoned from Newton, Mass., after noticing a $1 charge on a business debit card that sits in a drawer. “The reason I acted on it so quickly was that I had a feeling it was a fraudulent charge and they were phishing to see what they could do next.”
Over the next several days, as they tried to halt the transactions, IHEC’s owners visited their local Bank of America branch and had contact with Payeezy and Bank of America Merchant Services, according to a timeline the pair put together. During one call, a Payeezy employee said the problem was caused by a fraudulent Payeezy payment page with a hacked script embedded in it, according to notes taken by Ms. Thistlethwaite.
First Data didn’t respond to requests for comment. A Bank of America spokesman referred questions to Bank of America Merchant Services.
The $1 charges piled up even as the pair turned on security features, restricted access to the account and deleted Payeezy payment pages, as they say they were instructed by Payeezy representatives.
“I told them repeatedly to shut the account,” Ms. Thistlethwaite said. IHEC’s owners say the fraudulent activity finally ended Feb. 1, though they aren’t sure why. By then, nearly 4,000 questionable charges had gone through.
Mr. Ponemon, the security researcher, said banks should include basic cybersecurity protections, such as two-factor authentication, as a standard feature of the payment systems sold to small companies. “But they sometimes don’t do it because, from a profitability standpoint, there’s no incentive to do so,” Mr. Ponemon said. Those safeguards are important, he said, because small-business owners often don’t realize they are vulnerable.
When small businesses “set up their storefront, they have the same requirements as a big store” to make sure they are meeting all security requirements, said Mr. Brennan, the Bank of America Merchant Services executive.
The payment company allows businesses to set security filters and alerts that flag fraudulent activity at levels that best suit their needs, he added. “We don’t want very high velocity filters because if we do that we would minimize the amount of commerce a business can do,” Mr. Brennan said.
IHEC’s agreement with Bank of America Merchant Services includes a $25 fee for each chargeback. In March, Bank of America Merchant Services sent IHEC a collection notice for nearly $27,000. “The chargebacks keep rolling in,” said Ms. Thistlethwaite. “I can’t bear to look at the costs. They are just in a stack on my dresser.”
Ms. Daniels recently started a new company, Public Scholars LLC. “I’ll mostly be doing this,” she said, “as Polly’s enthusiasm for small business has hit her limit.”
Online fraud is a growing phenomenon that is not only getting more sophisticated and advanced, but also much more costly as well. In 2012 alone fraud cost merchants more than $3.5 billion dollars, with a 0.9% average cost of total online revenue. For individuals $525 million dollars was reported as being lost from fraud. With each successive year, these numbers are growing, and there are no signs of slowing down. In a world where we need to be ever more vigilant with our information online, one solution to fight back is Bitcoin. Bitcoin Could Have Prevented, Bitcoin Could Have Prevented, Bitcoin Could Have Prevented,Bitcoin Could Have Prevented
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.Go back