Archive for 2021
8.4 Billion Passwords Breached: Are you sure the customer you’re emailing with is really your customer?June 18, 2021
Most financial companies consider their own security, ever-vigilant for attacks on their own systems, but data breaches taking place everywhere else still create new risks to deal with. What happens if those around you are severely compromised and nobody knows?
Will LaSala, the Director of Security Solutions at OneSpan, saw a giant red blip on the radar last week, the largest compilation of leaked passwords in history. A file containing 100 GB of 8.4 billion passwords appeared on a popular hacker forum.
Need your merchant to send you their bank log-ins to set up ACH payments? That is exactly when hackers can get you, LaSala said. LaSala said that these leaks have become more common this past year as the world became digital-first.
“So passwords are really a weak form of authentication, right? If you’re using a password today, you’re asking to be hacked,” LaSala said. “With this breach alone, it’s probably close to 25 billion credentials that are out in the dark web today.”
Dubbed ‘RockYou2021,’ it’s a shocking breach of collected data, even larger than the 3.2 billion email and password combinations leaked in February this year.
There are only 4.5 billion internet users, according to Statista, so that’s a lot of passwords. The only way to stop the steal is to get ahead of the blistering rate algorithm tech is evolving through multi-factor authentication, LaSala said. Many believe their passwords are safe, he said, because just five years ago they were unbreakable. Some of these now can be cracked in seconds.
“We saw the death of an [encryption] algorithm called DES about six or seven years ago now,” LaSala said. “Very soon after that, we saw the death of the next algorithm, which was called triple-DES. People did not believe that those algorithms could be cracked in the amount of time that it was.”
LaSala said that ultimately, without multiple factors, data is easy to take. Some hackers don’t just steal data or finances the moment they get access to it either, LaSala warned, but instead dig deep into systems for years, even decades. There, they may steal data quietly undetected or focus on installing backdoors to ensure their access is permanent.
Perhaps many financial companies are already monitoring for this type of intrusion, but what to make of the possibility that their customers have been compromised? How do they know that they’re even communicating with their actual customers? They could do well to advise their customers to use multi-factor authentication in everything else they do online, not just with them. It would probably be to everyone’s benefit.
“The ability to use something you have like a mobile device, plus something like a pin, or even a fingerprint or a base ID, you combine those different factors of authentication together, and it makes it so that breaches like this, you’re not going to get caught up in anymore,” LaSala said.
Change is happening south of the border. Online lenders and alternative funders are growing across Mexico much the same way as elsewhere. This week, Credijusto, an online small business lender based in Mexico City, acquired Banco Finterra, marking the first time that a fintech has acquired a bank in the country.
According to Reuters, “Credijusto aims to ramp up services for Mexican companies that sell to the United States, and build a business for U.S. companies that do cross-border trade in Mexico and beyond in Latin America.”
Mexico also has more than 6 million small businesses, a market that is effecively 4-6x larger than Canada’s.
Prior to this, Credijusto had already collectively raised $400M from Goldman Sachs, Credit Suisse, Point72 Ventures, New Residential Investment Corp., Kaszek, QED Investors, John Mack, Ignia, Promecap and LIV Capital.
“The acquisition of Banco Finterra seeks to create the first truly digital banking platform for Mexican companies in the future,” commented Allan Apoj, co-CEO of Credijusto. “This transaction marks an important milestone in Mexico and the region, and we are proud to be revolutionizing the future of banking in Latin America.”
Apoj’s partner, co-CEO David Poritz, hinted to Reuters that in a couple of years it may consider the acquisition of an American bank as well.
Earlier this year, Mexico began to allow fintech companies to obtain a Financial Technology Institution license.
Estamos muy orgullosos de revolucionar el futuro de la banca en México con la adquisición de Banco Finterra y de beneficiar así a las empresas a través de productos financieros de nueva generación. Conoce más de este gran logro: https://t.co/pbGBVyo04p pic.twitter.com/A32vaHDOB1
— Credijusto (@credijusto) June 15, 2021
Amazon merchant conglomerate Thrasio bought Yardline to incorporate e-commerce finance into the product offering. Thrasio has been active with Yardline since the firm’s initial backing of the company, and is now making Yardline a wholly owned subsidiary.
Yardline Chief Revenue Officer Seth Broman said that historically, e-commerce has been risky with no barrier to entry like traditional brick and mortar shops. Broman added that online stores used to be for supplements, but through Amazon’s third-party marketplace and Shopify’s help, scaling a quality business has become possible.
“Through COVID, the script was flipped,” Broman wrote in a statement. “E-commerce businesses became less risky, and brick-and-mortar businesses suffered the most. It’s also a much smaller universe and harder to target than a brick-and-mortar business.”
Thrasio boasts it is the largest acquirer of Amazon brands globally, and co-founder and co-CEO Carlos Cashman said 40% of brands they approach end up selling. Now, they can help scale those brands.
“Yardline will be an asset in creating more opportunities for these entrepreneurs and offering more sophisticated avenues for growth,” Cashman said in a statement. “They’ve been doing something different in the space—their strategic approach to providing embedded capital across e-commerce marketplaces is unique—and we’re eager to have their technology and proficiency on our team.”
Tomo Matsuo, president of Yardline, will be joining Thrasio’s senior leadership team. “It’s conceivable that every eCommerce-related platform will have FinTech capabilities in the future,” he said in a statement. “And our acquisition by Thrasio demonstrates that.”
Back in its heyday, the MCA industry began as credit card factoring. The original product was simple- purchase future credit card receivables, and collect a percentage of them every day: easy peasy. Then, the industry broadened into ACH, funding businesses that did not have credit card purchases and credit card receivables became less common.
But some funders still work with credit card payments through long-standing payment processor relationships. Cash Buoy is a Chicago-based MCA firm that uses a network of twelve major credit card processors and thousands of representatives from payments ISOs to fund old-fashioned MCAs. Co-Founder and president Sean Feighan would tell you that having connections in payments pays off for both merchants and ISOs.
“The whole point is to add value to their business. By doing split funding remittance,” Feighan said. “It’s a much more comfortable way for the merchant to pay back the advance, it gives them some breathing room on the ebbs and flows of their volume, as opposed to having that hard fixed daily ACH that doesn’t care if they were closed on Monday, are slow on Tuesday, or we’re in a global pandemic.”
Feighan attests that the CC model still works great. He said alongside co-founder Brian Batt, they started Cash Buoy to give ISOs a better option. He boasts a renewal rate of 90% on his CC products, and his default rates for standard MCAs are a “night and day difference” with CC splits.
But operating heavily within the payments realm requires some expertise, something that long-time veterans of the MCA space are fortunate to have accumulated from the era of the product’s origin.
Steven Hunter, a multi-decade industry vet explained where the MCA concept came from. Hunter worked at CAN Capital back in 2000 when it was still was called AdvanceMe when he and the data team developed one of the first credit card factoring products.
“The idea came across to build a credit card-based product, because a lot of the original development team other than myself, were the First Data guys,” Hunter said. “And they said ‘okay well what if we could factor future sales, instead of three invoices or accounts receivable or inventory’, which we all know how to factor those things, that’s been in place since biblical times.”
So they built a model, aiming to fund merchants and take out a small amount of money from their credit card splits. Merchants would never see the money hit their bank, and the product just felt like free investing money paid for off of the increase in future sales.
When restaurants and other merchants shut down during the pandemic or rolled back to 25% capacity, many ACH funders found out their customers could not keep up with the pre-set debits. While defaults were on the rise, Cash Buoy was getting paid back, Feighan said, at an admittedly slower rate but still seeing returns.
Feighan has intentionally shied away from ACH. Cash Buoy is modeled on his and Batts’ connections in the payments space. They founded Cash Buoy after five or six years of experience in on-boarding merchant accounts. Feighan said he tried brokering but became disappointed with the process of working with an outside funder.
“[Other firms] may not have the relationships to get split funding at national processors,” Feighan said. “Maybe they didn’t have enough business or money in the bank when they went through the application process with different processors to get true split funding accommodations.”
Hunter agreed that without payment connections it is hard to factor CCs these days. Shortly after AdvanceMe began CC splits, other firms caught up and began developing similar products, with slightly changed terms like automatic set ACH draws. Eventually, he said this made MCAs more loan-like as opposed to a real variable product.
In 2021, there are many reasons that firms adopt ACH right off the bat, he said.
“Well, several reasons one, not every company takes credit cards,” Hunter said. “The thing is that some credit card processors, I’m not going to name any names, are very hostile to the product and they will not actually help people. They won’t help you manage the remittance, they won’t split for you, because they consider you to be a competitor, afraid you will take a portion away.”
The final reason Hunter said is a lot less elegant. He said in order to make this work, as a direct funder, you have to exchange files with every credit card processor you work with every night on every deal you have.
“So you got to send them something out and say, populate this for us. ‘Joe’s Bait Shop, What did they do today? Today they did this much money, your split is 11%, here’s what’s coming to you,'” Hunter said. “Then you import that back into your system and Joe’s Bait Shop’s balance drops by this amount. Right, that’s hard. I mean it’s a pain in the ass to manage, and I have people who do nothing but exchange, you’ve got to have processors who work with you and you’ve got to have the expertise.”
Hunter now works as a consultant, known in the industry as a go-to for MCA funding help. As for Cash Buoy, after the pandemic year, things are only on the up and up. Covid could not have happened at a worse time right after a three-year bull run, Feighan said, but now that things are back, there are “high water funding amounts each month.”
“The biggest thing here in Cash Buoy are our partners, our ISO partners, and processors,” Feighan said. “And if anybody were to say, ‘tell me, what’s the most important thing to you, Cash Buoy,’ it is 100% Our agent partner program. That is number one. The whole point of the company was to be able to provide a ton of value to national processors and ISOs.”
The P2P Lending/Investor Forum formerly at LendAcademy.com is coming back!
“Upon further investigation it seems that our web hosting company, GC Solutions, has suddenly gone out of business,” they wrote. “We can no longer access our web portal to manage the site. We have left voicemails and emails so far to no avail. We received no warning and were taken completely by surprise. The backups we have are also with the hosting company.”
With the data seemingly permanently lost, deBanked acquired the rights to it last week (just the forum), with the hope that some proprietary methods of forensic recovery would be successful. A significant portion of the forum has since been restored, hosted now at debanked.com/p2pforum.
It is still a work in progress. There are still formatting issues and a number of missing posts. Passwords were also lost. If you were a user on the forum and wish for your account access to be restored, you must email us at firstname.lastname@example.org.
Thank you for your patience.
The original post announcing the loss:
It’s been 4,000 days since deBanked first came online as a blog, originally as MerchantProcessingResource.com in 2010.
I did not anticipate on Day 1 that I would still be here more than 10 years later, but here I am!
Thanks to everyone that has been reading, watching, following along, and attending our events. It has made the journey thus far very enjoyable.
I look forward to seeing you all again in person at Broker Fair 2021 in New York City.
Equipment financer, SMB, and franchise financier Balboa Capital, closed a $50 million corporate note financing from a “consortium of prominent, U.S.-based institutional investors.” The firm said it plans to use the financing to refinance a portion of corporate debt, and to fund working capital.
“This transaction demonstrates the strength of our business and our investors’ support for our strategy and growth potential in 2021 and beyond,” CFO Heather Parker said. “We are well-positioned as one of the largest independent financing companies in the United States and will continue to play a meaningful role in the nation’s economic recovery by helping small businesses access growth capital.”
Brean Capital, LLC served as Balboa Capital’s Exclusive Advisor and Placement Agent in connection with this transaction.
Last October, the firm secured its seventh equipment asset-backed securitization valued at $201 million. “This is another step toward our key business objectives, which are to increase our financial flexibility, continue our growth, and maintain sufficient capital during any economic condition,” Parker said.
Marqeta went public on the Nasdaq this afternoon, raising $1.2 billion and pricing higher than expectations. The firm priced 45.5 million shares at $27, and prices rose to over $30 a share.
Marqeta sells payment tech designed to detect fraud by issuing physical cards to independent contractor firms like DoorDash and Instacart. Contractors use Marqeta cards at point-of-sale in restaurants and supermarkets. Marqeta also enables Square’s Cash App debit card and Buy Now Pay Later fintech firms Affirm and Klarna to move money.
The firm applied for a public offering on May 15th, posting an annualized first quarter 2021 revenue growth of 123% to $108 million and a 2020 annual revenue that had doubled to $290.3 million.