General Inquiries

Comdata Security Issues

  • 1.  Comdata Security Issues

    Posted 05-07-2019 15:58
    For all of you who use Comdata I wanted to share a fraud story with you that everyone with Comdata needs to understand and be aware of.

    We switched to Comdata last summer and use the virtual and physical cards.   Back on March 7th my accountant, who is the daily admin of the program, opened an email attachment on an email from a legitimate vendor of ours.  However the vendor's email had been hacked and the attachment installed a trojan malware behind the scenes.  That malware then installed other malware that either took screen shots or recorded keystrokes, we aren't quite sure what happened.  The hacker was able to obtain the admin credentials and log into Comdata's site from another IP address without issue.  That weekend the hacker flooded my accountant's email with spam so when she came in on Monday she spent the morning dealing with that.  I've now learned that is a tactic hackers use in case Comdata sent an email about the "foreign" access from a new IP address (which Comdata does not do).  On Monday, March 11th the hacker logged in again and was able to order a card and ship it to a Days Inn in Sunny Isles, FL.  Starting on Thursday the 14th the hacker started at a Subway for $2, then Best Buy for $100, $300, and $400 in gift cards.  All went through of course.  Then he went to town stopping at Best Buy and Apple stores, and a wine store.  Day one's total charges was $42,900, day two was $56,900, and day three was $25,300 for a total of just over $125k. 

     

    The first time Comdata alerted us to suspicious activity was Friday night at 7:30pm (after $100k had been charged).  Apparently the hacker logged back in as the admin and was able to take the card off fraud hold and resume charging on Saturday.  I responded to the risk alert at 1am on Saturday and told them the charges were not ours.  The next morning I happened to be in the office working on Saturday and I received another email with new charges being flagged, I responded again that the charges were from a card that wasn't ours and should not be associated with our account.  Comdata finally shut the card and admin login down that weekend, but hours later after the hacker was able to charge another $20k. 

     

    I investigated all of this thoroughly, hence the reason I have all the details, and although we clearly had some issues on end for allowing it to get started I highlighted numerous issues with Comdata's system that would have prevented or limited the losses.  This is what you guys should be aware of (red are my statements to Comdata and in blue some additional commentary).

    Fraud Monitoring Red Flags that weren't triggered

    • Brand new card issued to a new mailing address who immediately started charging up at a velocity that has been exhibited on any of our cards, nearly all at electronic stores in a new geographic area to any of our current charge activity.
    • $42,895.26 charged on first day without a fraud alert being triggered (all but a $2.13 charge at Subway at eight separately identified electronics stores)
      • Classic example of fraud where the charges are increasingly bolder as they test the limits of the card
      • 12 individual charges at Best Buy with four stores having multiple purchases within a few minutes, all charges within 5 hours totaling $35,418.98. 
    • $51,056.62 charged on the second day before the first decline happened (that's $93,951.88 in charges in 28 hours before a decline)  These charges were similar to day 1, mostly electronic stores with a $5,495 wine purchase in between (he needed a break from electronics I guess).
    • $81,435.19 charged at Best Buy in first two days and charges still allowed on day three. 

    (Their excuse for all the clearly fraudulent charge activity not being flagged is because it is a chip card and therefore the velocity and spend activity [e.g. $10k in 40 minutes over 3 transactions in the same Best Buy store] is given a greater security footprint before flagging it as fraud to prevent false flags.)

     

    Ways to stop or limit fraud like this that are not in place

    • System modifications needed to help prevent fraud
      • Dual authentication on logins when logging in from a new IP address (would have stopped this fraud) (I was at a conference in St Louis during one of my conversations with them and told them that I would have no problem accessing their website from the shared hotel conference wifi but my Salesforce login would require dual authentication.  How can my CRM be more secure than my credit card financial institution website??)
      • Email notification from Comdata when a new credit card is created (sent to all administrators).  (would have stopped this fraud)  (they responded that this was not possible)
      • Locking down the mailing address of new employees or having a workflow in place to approve a shipping address other than the default (would have stopped this fraud)  (they responded that they have customers who need to send to different addresses so they can't lock it down.  I told them that's fine, I just want the OPTION of locking my address down.  No, they don't have that as an option.)
      • Program limit on a per card credit limit that can't be changed by an admin (they don't have this)
      • Limits on the number of times a user's credit limit can be adjusted by the same person in a day/month.   (they don't have this)
    • Reports that could be used to assist in detecting fraud, especially when automatically sent to all administrators
      • Daily new card issued report (this would have stopped the fraud before the person even received it)  (report doesn't exist and even if it did no automation of reports is possible)
      • Daily Credit limit change report (this potentially would have alerted us faster than Risk Monitoring did) (report doesn't exist and even if it did no automation of reports is possible)
      • Declined charge report (I used to have this with another platform.  In this case we wouldn't have known about the fraud any earlier since the first decline was on day 2 but could be useful for other fraud) (report doesn't exist and no automation of reports is possible)
      • Current cardholder report (depending on timing could prevent fraud but the daily new card issued report would be best) (report does exist but no automation of reports is possible.  We are currently reviewing twice a week to ensure security.)
      • Report on charges over $1,000 sent to me every day (report does exist but no automation of reports is possible, they suggested I simply log in every day and run any reports I need.  I told them I'd prefer to have them automatically sent to me instead of wasting my time manually running every day.)

     

     After the internal investigations between us and Comdata they came back and said they are accepting no liability for the loss and we had to pay the full amount.  They acknowledged every flaw in their system that I pointed out but hung their hat on the fact that it was a legitimate login that accessed their system.  I expected them to have my back when it comes to fraud prevention and detection, and clearly that isn't important to them with glaring security issues like this.  We have since filed the loss with our crime insurance policy and are dealing with that but we will have some kind of a loss due to deductibles.  Comdata is not willing to pay any part of that and we are now looking for a more secure program, even if it means we lose out on some rebate money.  The hassle and cost of dealing with fraud isn't worth it.    At the very least those if you with Comdata should be looking at that cardholder report to ensure nobody shows up who shouldn't.  As I told Comdata, if this hacker figured out how to get $125k out of this fraud it is a guarantee that they will try again and have probably posted a "how to guide" somewhere on the dark web.  We will not be the only company to be hit by this.  Be careful.   



    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------


  • 2.  RE: Comdata Security Issues

    Posted 05-08-2019 09:26
    Brad, that is a harrowing account.  I am very sorry that you and your company are going through such a situation.
    Thank you for sharing.

    Just a question, seeking to learn - does Comdata have dual authentication for logging into their web portal as administrator?
    Does Comdata check the IP address of the Administrator login?

    I know in the past, when logging into financial sites, some require the text confirmation by phone before allowing entry.
    And others make you identify yourself via other means that simply a password,  when logging in from a different computer - not my work computer.



    ------------------------------
    Joseph Harper CPA, CCIFP
    CFO
    Greater Dayton Construction Group
    Beavercreek OH
    (740) 607-1449
    ------------------------------



  • 3.  RE: Comdata Security Issues

    Posted 05-08-2019 12:40
    Joseph,
    No they do not have dual authentication which is how the hacker was able to log in from various computers/IP addresses.  They have a security word, however by default that word is visible as the person types it so screen viewing or keyboard recording would capture this.  In my example to them I was at a conference and could have used the public wifi with no issues from their site yet Salesforce would have required a dual authentication in order to log into their site.  Makes no sense.

    Paul,
    For various reason we do not use the profiles.  Since the hacker obtained admin log in credentials they would have been able to work around this or simply use an executive profile.  Dual authentication at login for new IP addresses would have prevented login access and the option to lock down the mailing address of new cards would have prevented the card from getting into the hands of the hacker.  neither of these options is available with Comdata.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------



  • 4.  RE: Comdata Security Issues

    Posted 05-08-2019 13:42
    ​Brad,

    Do you use Expense Track and Pin Numbers?

    ------------------------------
    Paul West
    Director of Enterprise Applications
    The Middlesex Companies
    Orlando FL
    (407) 206-0077
    ------------------------------



  • 5.  RE: Comdata Security Issues

    Posted 05-08-2019 13:52
    We use Nexonia for expense reporting and approval.  I'm not sure what Expense Track would have done to prevent this from an administrator standpoint though.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------



  • 6.  RE: Comdata Security Issues

    Posted 05-08-2019 14:22
    ​Our AP staff monitors the Expense Track transactions as they occur. Our IT group does a pretty good job utilizing Mimecast and other tools to prevent hacking attempts.

    ------------------------------
    Paul West
    Director of Enterprise Applications
    The Middlesex Companies
    Orlando FL
    (407) 206-0077
    ------------------------------



  • 7.  RE: Comdata Security Issues

    Posted 05-09-2019 06:21
    I  can't imagine not having spending profiles to limit the cards spending rights. Even our executive cards have limitations. We also receive automatic daily exception reports for spend that falls outside the warning criteria that we set up. Dual authentication would be a nice add but I highly recommend the use of spending profiles.

    ------------------------------
    Tom Lowrey CPA C F O
    Scott Bridge Company, Inc.
    Opelika AL
    (334) 749-5045
    tlowrey@scottbridge.com
    ------------------------------



  • 8.  RE: Comdata Security Issues

    Posted 05-09-2019 10:53

    Yes, thanks for sharing Brad.  That is very disappointing that Comdata did not make this right.  I had a fraudulent charge issue with Comdata that was also denied by them, although our incident was not as blatant as yours as far as outside criminal activity (ours was initiated by an employee/manager fraudulently, the employee initiator factor being the reason for denial).   FYI, the employee/manager who initiated our fraudulent charge was immediately fired and police contacted, who have subsequently arrested and charged the employee, no matter to Comdata that these actions occurred.

     

    Your situation seals my decision to not expand our use of Comdata services.

     

    Robert McManus

    Chief Financial Officer

    Direct: 404.965.9349 

    Main: 404.361.5154 | Fax: 404.965.9355

    PO Box 45717 | Atlanta, GA 30320

    www.msrs.com

                

     

     

     

     






  • 9.  RE: Comdata Security Issues

    Posted 05-08-2019 10:05
    Brad,

    Do you not use Profiles when assigning cards?​

    ------------------------------
    Paul West
    Director of Enterprise Applications
    The Middlesex Companies
    Orlando FL
    (407) 206-0077
    ------------------------------



  • 10.  RE: Comdata Security Issues

    Posted 05-09-2019 00:01
    Brad – the two of us have been in contact throughout the last few weeks to discuss the above-mentioned issues. This is an unfortunate incident, and while fraud represents only a very small percentage of Comdata's transactions, we take these matters seriously.

    Comdata enables more than 50% of all construction card volume and millions of additional transactions spanning all industries, which is why we currently offer a myriad of fraud prevention tools.

    However, we are always looking to optimize risk management strategies while enabling commerce for our clients, so your feedback is greatly appreciated.

    If any of our clients or prospective clients have questions or would like to learn about the tools we have available, please reach out to your relationship manager or contact us at RelationshipManagementTeam@COMDATA.COM.


    Harold Harr
    Director - Relationship Management
    Comdata

    ------------------------------
    Harold Harr
    RSM, Construction
    Comdata Corporation
    Brentwood TN
    (615) 370-7431
    ------------------------------



  • 11.  RE: Comdata Security Issues

    Posted 05-09-2019 00:35
    Edited by Brad Dalbec 05-09-2019 09:56
    Yes indeed, I spoke with Harold and many others at Comdata to discuss my fraud scenario.  Nobody was rude or dismissive, and they listened to my issues.  My original sales person and his boss were aggressively trying to fight for me within Comdata.  HOWEVER Comdata's fraud prevention tools (as I detailed in my posting) failed to stop this due mainly to missing security options that everyone should expect, e.g. ability to lock down a mailing address for new cards and missing dual authentication for new IP address logins.  I was a great fan of Comdata's program and they even used me as a referral to get other firms signed up.  The volume of charge activity that Comdata has in construction, trucking, and other industries is exactly what makes these system control issues so concerning to me and should be to everyone on this message board who uses Comdata.  As CFOs and controllers of construction companies we have to constantly battle attempts at fraud and computer hacking.  Generally speaking we work in an industry that, compared to other industries, doesn't spend as much money on IT and IT security.  We often rely on our third party vendors to give us the best fraud prevention tools available to protect us from fraud and financial losses.

    As a "live" update to this posting, an hour ago I tested a new security measure that was put in place for me that many of you may want to consider as well.  Comdata was able to lock in my office IP address as the only IP address that can access their website.  Which is not perfect since many of us are traveling or working from home (on our company laptop) but it definitely improves my security over what I had with them.  Ideally I should be able to access Comdata's site from another IP address with appropriate security in place (e.g. dual authentication with a passcode sent to my cell phone or email that needs to be entered to login), but I'll take this measure for now.

    Although Comdata listened to my feedback that exposed their glaring system flaws, the final conclusion is what I detailed above.  A friendly conversation where I was told that Comdata was accepting zero liability for this fraud and I'm stuck dealing with the entire loss.  As of today I'm still working with my insurance company to get my claim processed and get a chunk of the money reimbursed back to me.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------



  • 12.  RE: Comdata Security Issues

    Posted 05-09-2019 07:55
    We utilize tools like Mimecast (email filtering) and Webroot (anti-virus / anti-malware) to prevent things like this from happening.  We also have different workstation policies to add another layer of permissions for workstations commonly used for these banking and other sensitive activities.  Myself and our Controller are the only two people who have permissions within our bank systems and Comdata to authenticate changes in card limits, fund per diem cards or transfer funds.  We only perform these tasks on our company workstations.

    Prevention is truly the best line of defense against these horrible fraudsters.

    ------------------------------
    Brian Andrew BBA
    V.P. Of Finance & Technology
    Georgia Mechanical, Inc.
    Suwanee GA
    (404) 379-5198
    ------------------------------



  • 13.  RE: Comdata Security Issues

    Posted 05-09-2019 09:49
    We also utilize a sophisticated email filtering program and we run webroot.  Didn't help in this case.  The original fraud happened on a company workstation.  I agree with you that we should lock down our workstations to take away the ability for users to install programs (right now they are local admins), however we ran into problems with simple programs (e.g. goto meeting) that needed to be installed for the user to do their job and they didn't want to have to call our IT support firm every time.  We are a small firm though so there certainly will be times where I will have to access Comdata's site when I am traveling.  I am still accessing through a company computer but my connection IP address is different.

    What security do you have if your credentials were compromised and activity was performed under your ID?   That's where we then look to our third parties to have measures in place to add to the security measures we have in place.  Image if you could receive a text message to confirm a new credit card that was ordered, confirm a CC that is being ordered and shipped to an address other than the main office address, or alert you to credit increases that occur more than once in a given period of time.  The best security measures are proactive actions not reactive.  In our age of daily spam attacks that are meant to breach our security we need to get more aggressive and not just rely on a few screen measures. The more layers of security we have in place the less likely it is that we will have a loss.

    Regarding profiles, yes they would be helpful and we looked at them and are looking at them again now.  However we have a lot of traveling employees who would need to buy something at Best Buy or other electronics stores so we were unable to lock down the cards in a way that would have stopped this particular spending activity.  As I review the transactions maybe 5% of the transactions would have been prevented via a profile.  Again, the more layers we put in place the more we can limit losses like this though and this fraud has taught us numerous lessons on what to look for in a provider and what we need to change internally.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------



  • 14.  RE: Comdata Security Issues

    Posted 05-10-2019 10:09
    Brad - Thanks for sharing your story. It's a real eye-opener and I've shared it with a few friends in the industry who are financial decision makers. Has Comdata shared with you their rationale for not implementing multi-factor authentication or similar technology to harden access to administrative functions on their platform?

    ------------------------------
    Sean Johnston
    Chief Financial Officer
    Butler-Cohen Design+Build
    Houston TX
    (713) 344-9381
    ------------------------------



  • 15.  RE: Comdata Security Issues

    Posted 05-13-2019 11:34
    ​Brad,

    This is a series of unfortunate events that unfortunately is becoming commonplace and an everyday occurrence.  I'm sorry that you had to go through it as so many others have.  I do have a couple questions for you though, my apologies if these were already addressed in this thread:

    1.  Previous to this attack, did your organization have an IRP (Incident Response Plan) in place for Cyber related events?
    • Does it include things like who to contact, who holds what responsibilities within your organization, what to do, how to communicate, when to engage outside support, etc.?
    • If you have one, how often is it tested and how often is it updated?

    2.  Do you know if any other systems or data were accessed and/or downloaded from the outside threat actor?

    3.  Are you aware of the potential regulatory fines if PII was accessed and what you are legally responsible to do if they have been?

    4.  While I'm glad you have a crime policy, I don't recall reading about a cyber policy.  Do you have one?

    Thank you in advance for taking time to respond.

    ------------------------------
    Ben Kahmann
    Insurance Advisor
    Hylant Group
    Cincinnati OH
    (513) 354-1612
    ------------------------------



  • 16.  RE: Comdata Security Issues

    Posted 06-06-2019 13:03
    Brad and thread followers:

    I just got off the phone with my Account folks.  They offered email alert of new cards being issued as an option.  Brad, it looked like you were told no on this.  It is being set up on our account and we will test with a new card we need to order, so will let you all know if it works.

    They also offered the IP address lockdown.  I have the same concerns about being able to remotely order cards, but I may seriously consider this option until they implement the dual factor authentication they told me is in the works.

    ------------------------------
    Tracey Fenolio CPA, CCIFP
    Controller
    FCL Builders, LLC
    Itasca IL
    (847) 209-7203
    ------------------------------



  • 17.  RE: Comdata Security Issues

    Posted 06-07-2019 01:29
    Tracy, this is definitely a new thing.  They were adamant that it was not available either as an immediate alert once the card was ordered or as an end of day report for all new card activity.  This is why we have to run a manual report a couple times a week in order to review for cards we don't know.  Apparently they are starting to address some of the issues I listed for them 2 months ago!

    Regarding the IP address lockdown.  It took them a few weeks to offer that up to us but we are using that as well.  The only issue is if your admin travels you will need to make sure to have a remote desktop off you servers so that the IP address is the same.  We tested it and ended up using it while in Vegas so that does work if you have remote desktop.  At one point they were arguing that the security word was multi factor authentication, which of course it is not and does nothing to protect against log ins from a foreign IP address.

    Meanwhile I am looking at Commerce Bank's platform since it appears to have solved all my security issues with Comdata.  Also looking into Capital One.  I'll keep everyone posted on that as well.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------



  • 18.  RE: Comdata Security Issues

    Posted 06-07-2019 12:04
    I just talked to Comdata this week about implementing the pay card and somehow they are now partnered with/ merged with/part of FINTWIST (not sure of the relationship). Any chance some of these issues have to do with the change to/merger with/adoption of this FINTWIST?

    ------------------------------
    Lynne Pace BS
    Chief Financial Officer
    Kinkaid Civil Construction
    Mesa AZ
    (480) 646-4438
    ------------------------------



  • 19.  RE: Comdata Security Issues

    Posted 06-09-2019 00:47
    Edited by Brad Dalbec 06-09-2019 00:54
    FINTWIST appears to be for employee payroll data.

    The issue I had is with the Comdata credit card program.  One thing I forgot to stress in my last response is not only were there security and system flaws with their credit card website but they absolutely washed their hands of liability for the loss.  When I look at aligning with a partner I expect them to be a partner, which means sometimes they have to share in some pain if we run into an issue.  Even though Comdata clearly had flaws in their system that allowed the fraud to proceed past the point of my system being hacked and continue past the logical point of legitimate charges, Comdata's response was to tell me they would accept ZERO financial responsibility for the losses.  No offer to split the costs that my insurance doesn't cover or part of my deductible, they just forced me to pay for it all and deal with my insurance policy.  When the crap hit the fan and I looked for my partner to be by side, they ran away from the financial loss as fast as they could.  That behavior is something that anyone working with Comdata needs to know about as well because you could be the next one they run from and stick with a loss.

    I want to thank all of you at the conference who came up to me to discuss this issue.  I was surprised at how many people read this thread and became aware of these issues.  I'm glad to know my story is helping you by becoming aware of the security flaws that exist in the credit card provider marketplace, whether you are with Comdata or not.

    ------------------------------
    Brad Dalbec BS Accounting
    Cfo
    Builtech Services, LLC
    Schaumburg IL
    (630) 523-0174
    ------------------------------