CategoryFraud Prevention

Reduce the Risk of Fraudulent CSR Activity with OrangeCRM’s IP Address Whitelist

OrangeCRM provides many features that are designed to assist your business in risk management. An important area not to be overlooked is the need to protect against fraudulent activity from customer service reps.

One of the many ways OrangeCRM can help to significantly minimize such risk is by giving you the ability to control user access at the IP address level. This valuable feature allows you to block users from accessing OrangeCRM from unauthorized locations or devices, such as their home computer, cell phone or tablet.

Restricting user access to only approved work locations and devices is easy with OrangeCRM’s IP address whitelist. Simply open an ACL User record and go to the IP Address tab.

ACL User - IP Address Tab

Then enable the IP Whitelist and enter the public IP addresses the user is allowed to access from. Multiple IP addresses can be added to the whitelist individually and/or in a range.

ACL User - IP Whitelist

With the IP Whitelist enabled, user access will be denied when login attempts come from an IP address that is not on the whitelist.

For more useful suggestions and preventative measures that can help you reduce the risk of employee theft in OrangeCRM, see our previous post: Could Your Customer Service Reps be Placing Fraudulent Orders?

PCI Data Security Standard Version 3.1 Expires October 2016 – How to Implement Version 3.2

Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released in April 2016, with a compliance date of October 31, 2016.

Although version 3.1 will not expire until then, companies have been encouraged to adopt the new standard as soon as possible to prevent, detect and respond to cyber attacks that can lead to payment data breaches.

Key changes in PCI DSS 3.2 include:

  • Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
  • Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
  • Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

A full copy of the new PCI Data Security Standard version 3.2, including a Summary of Changes document, is available at: www.pcisecuritystandards.org/document_library.

PCI Perspectives blog post PCI DSS 3.2: What’s New? provides more information on changes to the standard and its supporting documents. The blog also outlines additional resources available for understanding and adopting PCI DSS version 3.2.

Is Your Business Ready for the EMV Chip Card Roll-out?

Tomorrow is the deadline that Visa and MasterCard have set for banks and retailers across the US to roll out a new system for more secure bank cards with microchips embedded in them. This change could potentially affect all types of businesses. Continue reading to find out how it may impact you and what actions are necessary.

How could EMV affect me?

While only establishments processing card-present transactions will be affected directly; companies that accept internet, phone or mail orders (card-not-present transactions) could experience dangerous side effects as a result of this change.

The way fraud liability is handled will be changing on October 1, 2015. If your customers use a chip enabled card for purchases made in person and you do not have an EMV reader, you may be liable for certain costs from counterfeit or stolen cards during card-present transactions. Previously, if businesses swiped a counterfeit or stolen card, the bank assumed the loss. To encourage retailers to adopt the more secure technology of EMV/chip cards, card issuers plan on shifting that loss to merchants, effective Oct 1.

Even if you strictly process card-not-present transactions, don’t breathe a sigh of relief just yet. An article published on creditcards.com states, “In every country that has switched to EMV cards — and the United States is the last developed country to do so — online fraud has jumped, says online fraud expert Brian Krebs.” The article goes on to explain, “as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet. If counterfeiting physical cards is more trouble, criminals will naturally turn to buying items online with stolen credit card numbers. That’s been the pattern elsewhere, says Justin McDonald of The Fraud Practice, an anti-fraud consulting company.” Likewise, it wouldn’t be surprising to see an increase of credit card fraud in phone and mail orders as well.

What do I need to do?

If you process face-to-face credit card transactions, one of the first steps you need to take is to purchase EMV hardware. All of your customers’ cards will soon have their own embedded chip. Switching to an embedded reader may help reduce your liability for costs associated with certain kinds of credit card fraud. Click this link for a useful Step-by-Step Guide to EMV Migration for Small Businesses from Intuit.

If you accept internet, phone or mail orders, the coming spike in card-not-present fraud means you will need to improve controls to ensure that you know your customers are authentic. As with any type of fraud prevention, no single point solution will suffice. Merchants must take a layered approach to their defenses, for the best results. To read about some of the available technologies that can help reduce the impact of the rising tide of threats, check out this white paper prepared by research and advisory firm Aite Group, entitled Card-Not-Present Fraud in a Post-EMV Environment: Combating the Fraud Spike. Also helpful is this link to an article from smallbiztrends.com outlining 10 Tips for Preventing Online Credit Card Fraud.

For more information on avoiding payment fraud, check out Community Merchants USA’s resources online.

Could Your Customer Service Reps be Placing Fraudulent Orders?

The unfortunate reality is that it’s all too common for customer service agents to find ways of placing fraudulent orders or altering legitimate orders so they can receive multiple free product shipments. Not only could you be losing merchandise, you could also lose upset customers whose orders have been shipped to an agent’s personal address.

OrangeCRM provides many features that are designed to protect against fraudulent orders; help you monitor CSR actions and quickly identify unauthorized activity.

Are you using all of these tools to their full potential?

Listed below are several useful suggestions and preventative measures that can help you minimize the risk of employee theft in OrangeCRM.

Closely manage and frequently monitor cash customers. Since cash transactions are auto approved by the CRM (if you allow cash transactions), CSRs could possibly find a way to enter cash orders that will be shipped to their personal address. If agents have access to your online shopping cart, don’t give them the ability to enter cash orders. Reserve that duty for managers or supervisors. If you have OrangeSOAP installed in your CRM and you allow agents to enter cash orders, make sure you frequently check those orders for suspicious activity. You can use the Quick Find Search to retrieve a list of cash customers created over a timespan. Look for warning signs such as multiple customers with the same name and/or address, as well as multiple Address Update or Fulfillment Resend Events in the OrangeEvent tab of a customer record.

Don’t give unauthorized users the ability to create a new Lead in OrangeCRM. Approved Leads create new Customer records. To prevent reps from creating fraudulent Customers from new Leads, make sure CSRs don’t have the MenuLead role, which provides access to the New Lead menu option.

Block users from accessing OrangeCRM from unapproved locations, such as their home. Restricting access to approved work locations only, should significantly decrease the risk of fraudulent CSR activity. You can control this by creating an IP Whitelist in the IP Address tab of an ACL User record.

Don’t allow CSRs to submit new fulfillment requests for product shipments. Otherwise, reps could send themselves multiple free products. To eliminate that possibility, disable the Allow CSR Selection option on master product fulfillments, which will prevent users from being able to select them from the Request New Fulfillment action on a customer record.

Only allow managers or supervisors to submit reship requests. CSRs could potentially use the Resend Fulfillment action on a previous customer fulfillment to repeatedly ship merchandise to themselves. If your typical daily number of reship requests isn’t too high, you could add an increased measure of security by only allowing them to be submitted by users with the MgrAccess role. This can be controlled by enabling the Role Security feature on Fulfillment Events. To support this approach, you would need to train your CSRs to submit an OrangeTask ticket for each reship request, which would be resolved by a manager or supervisor who has the MgrAccess role.

Perform daily audits on Customer Events. Look specifically for multiple Address Update and/or Fulfillment Resend Events in the OrangeEvent tab of customer records. There are a few ways to check for this:

  • If your reps typically process a fairly small number of address updates and reship requests each day, you can review a historical record of such actions in the Events For Approval list by enabling the Require Signoff feature on select Events.
  • If your reps normally process a large quantity of events on a daily basis, it may be more practical to use the CSR Event Comparison report to quickly identify any agents who are performing Customer Update and/or Fulfillment Events significantly more often than the other agents. This would serve as a red flag that prompts you to investigate the details of such events.
  • You may also choose to perform a check on numerous randomly selected Customer Update and Fulfillment Events by using the Quick Find Search to retrieve a list of all Events performed on a particular day.

Make sure you can trace each Event back to the person who performed it. Don’t allow users to share logins and never use generic usernames, like Agent 1. Usernames should clearly identify each individual user. Always create a unique username and password for each agent.

If you need step by step instructions on how to implement any of these suggestions, please refer to the OrangeCRM Help Guide at help.orangecrm.com. If you need further assistance, phone support is also available at (770) 227-0036 Ext 1.

 

Online Fraud May Surge After EMV Chip Card Rollout

For those of you who sell goods online, you may want to consider increasing your fraud security measures. Why do we say that? “Sophisticated online fraud rings are expected to flourish in the next few years, even as the U.S. switches to credit cards embedded with anti-fraud computer chips”, says an article recently published by Tony Mecia. The deadline for retailers and card issuers to adopt EMV technology is October 2015.

The article goes on to explain, “as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities. At the top of the list, payment security experts say, is using stolen card numbers to buy stuff from the Internet. If counterfeiting physical cards is more trouble, criminals will naturally turn to buying items online with stolen credit card numbers. That’s been the pattern elsewhere, says Justin McDonald of The Fraud Practice, an anti-fraud consulting company.”

“For U.S. retailers, the coming wave of online fraud means they will need to improve controls to ensure that they know that their customers are authentic. This often involves new risk-management technologies and additional security questions or passwords, says Julie Conroy, research director with Aite Group.”

Is your online business ready?

To read more, click on the following link: www.creditcards.com.

© 2017 OrangeCRM Blog

Theme by Anders NorénUp ↑