PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.
Best Practices for
Secure Credit Card Transactions
Copyright 2017, Faulkner Information Services. All
Rights Reserved.
Docid: 00021391
Publication Date: 1705
Report Type: TUTORIAL
Preview
The US is in the crosshairs of the world’s most active and accomplished
payment card data thieves precisely because its financial networks have
long been the easiest targets in the developed world. The
number one contributor to this vulnerability: Magnetic stripe cards for
payment and identity authentication. Now, with a US transition
under way to chip-enabled payment cards, holders of stolen credit card
data are making a concerted effort to monetize their inventories while the
window of opportunity remains open.
Report Contents:
Executive Summary
[return to top of this
report]
Thieves, particularly technologically-oriented thieves, strike where they
discover three things: An easily exploited vulnerability, low risk of
getting caught, and a potentially large payoff.
US payment card issuers provide all three of those incentives through the
continuing use of credit and debit cards that include magnetic
stripe data. This flaw constitutes more than just a risk to merchants and
card users. The entire US consumer financial network is riddled
with a structural vulnerability related to the pervasive use of weak,
obsolete magstripe payment technologies that invite ID theft and card
fraud.
By contrast, in Europe, South America, and Asia, the dominant payment
card technology (known as chip-and-PIN or EMV) is highly secure: It is
extremely resistant to counterfeiting, and a stolen card is almost always
worthless to a thief. This makes both in-person and “Card Not Present”
fraud (through online, telephone, and mail transactions) rare. EMV has
been in use since the mid-1990s and is credited for reducing card fraud by
as much as 90 percent in some locales.
This record of success notwithstanding, US card issuers have snubbed EMV
and instead mandated an incremental migration to chip-based cards using a
security model called “chip-and-signature.” Chip-and-signature cards will
still carry magnetic stripe data
, are much less secure than EMV
cards if they are lost or stolen, and aren’t useful for travel outside the
US.
One year in, merchants and card holders have suffered the brunt of huge
spikes in card-not-present, account takeover, and new account creation
fraud. At the end of 2016, 64 percent of vendors had not fully implemented chip
and signature payment terminals. Merchants cited reasons relating to cost,
erratic performance and inability to integrate them with backend payment
systems. As of October 2015, US card issuers unilaterally shifted in-person
fraud liability to retail vendors if they had not installed chip and
signature terminals. Even in the face of this heavy-handed shove,
broad chip and signature adoption remains stalled.
Description
[return to top of this
report]
A Perfect Storm of Sophisticated Criminal Networks, Weak
Technology, and Short Term Thinking
In 2016, identity fraud reached a 13 year peak. According to Javelin
Strategy and Research, more than 15 million consumers were defrauded at
an estimated cost of $13 billion USD. Card fraud was the key driver.
Credit card fraud is the quintessential crime of opportunity, and
criminals are looking for three things, specifically, when they evaluate a
target:
- Easily exploited vulnerability.
- Low risk of getting caught.
- Potentially large payoffs.
As concerns the first item, US card based payment systems are
really nothing more than antiquated, single purpose, networked computer
systems. They typically include numerous components under the control of
many different service providers. The number of potential points of
weakness is
vast. It’s a scenario that dramatically reduces the likelihood of
hackers being detected, let alone caught. And with a 2016 paycheck
of around $16 billion, there is no doubt anywhere that this is a rich
opportunity.
Mounting a Defense Against Card Fraud
and ID Theft
Defending against any type of hacking is really a matter of identifying
weaknesses and hardening them before they can be exploited. This textbook definition of computer security vulnerability defines
the problem:
A computer system vulnerability is the confluence of three things: A
system weakness or flaw; an attacker’s access to tools, systems, or
people that will aid in exploitation of the flaw; and a means by which
to make contact with infected systems after the exploitation mechanism
is in place.
Thus, in the case of payment card fraud, there are three categories of
vulnerabilities which must be addressed:
- The insecurity inherent in the card.
- The behavior of the card owner.
- The chain of custody of card transaction data.
Far and away the easiest place to start eliminating vulnerabilities is with
the card.
Advanced Card Technologies
Nearly all of the payment cards issued in the EU and most issued
in Asia use an authentication system called chip-and-PIN, or EMV.
EMV was developed by collaborators Europay, MasterCard, and Visa and is
the de facto global payment technology standard. It has been
ubiquitous outside the US since the mid-1990’s.
EMV cards embed a single-chip computer that stores a biometric
identifier, passwords, data, and apps. It requires no battery because
an EMV card is powered by the reader. The card’s data and apps can’t be
accessed until both cardholder and reader are identified and validated as
legitimate. Conceptually, EMV cards secure an in-person transaction this
way:
- The card owner initiates a payment transaction by placing the EMV card
near the vendor’s EMV card reader. - The reader powers up the EMV card’s microprocessor.
- The EMV card prompts the user to enter a personal identification code
(PIN) on the reader’s key pad. - The reader feeds the PIN back to the EMV card.
- The EMV card uses onboard software to compare the PIN to an encrypted,
stored copy of the user’s PIN. - If the two match, the user is authenticated and the payment
transaction can proceed.
This technology was pioneered in France and has been widely deployed
there since 1996. It is credited with cutting in-person credit card fraud
in France by well over 90 percent. EMV payment cards are unappealing to
thieves as they are worthless without the PIN and will lock themselves
after three consecutive incorrect PIN inputs. EU consumers generally
perceive the benefits of theft-proof payment cards to be well worth the
effort of remembering and entering PINs; and, for convenience, some low
value transactions (e.g. transit fares) are exempted from PIN validation.
If cardholders guard the privacy of PINs, EMV based cards largely take the
“human behavior” security threat out of play. Losing a card may be
inconvenient but poses little financial risk to cardholder, issuer, or
vendor.
In the US, by contrast, significant problems with both cards and people
create serious exposure to card fraud.
Why Magnetic Stripe Payment Cards Are Doomed
One of the defining design features of magnetic stripe payment
cards is that they are fast, easy, and cheap to manufacture. That is
certainly part of why the US financial industry is so tenaciously enamored with
them: In bulk, they can be produced for a few pennies each, while
chip enabled cards cost a bit more than $1 USD to manufacture.
Anyone can create a magnetic stripe card.
Magnetic stripe card
writers sell on eBay for less than $150 USD, complete with accessory kit,
no questions asked.
It would be tedious to enumerate all of the ID theft and card fraud
headlines of the past 18 months, but if there is one definite takeaway, it
is that US payment cards are insecure and this harms consumers and businesses of every scale.
There is irrefutable evidence of robust trade in stolen credit
US data. It is routinely exported, aggregated, and distributed
for sale on Web sites registered in Russia, Somalia, Laos, and
elsewhere. Wholesalers are very sophisticated. They typically sort
and aggregate card numbers by address, right down to the zip code because
card counterfeiters prefer card data sourced from their own
localities. To further build loyalty, sellers offer purchasers a six
hour exchange guarantee – more than enough time for counterfeiters to
print and test cards. This is an efficient, thriving, entrenched industry, and
it is centered in some of the most lawless countries on the
planet. Interdiction is not a realistic possibility.
Current View
[return to top of this
report]
A Rocky Rollout for US Chip Card Payment Technology
When US card issuers unveiled their plan for chip and
signature based cards, their sales pitch to merchants and consumers was
that they would see an immediate drop in card fraud. One year in, the
numbers are published and they don’t look good. Identity theft rose
by more than 16 percent in 2016, costing individual consumers $16 billion USD,
a new high. Card-not-present fraud (as in phone and online
purchasing) rose by 40 percent, account takeovers were up by better than 60
percent, and
fraudulent account creation was up by 40 percent. The breadth and
sophistication of this surging criminal activity says a lot about the
adversaries US card issuers face. If it was their intent to bring the
entire system down, they could probably do it.
Chip-enabled card adoption is badly stalled in the US. About 64 percent of
merchants haven’t yet installed chip compatible point of sale payment
terminals,
but they only accounted for half of all in-person
credit card fraud.
Many merchants that bought and installed the new
terminal equipment have been unable implement it. Perhaps this shouldn’t be
surprising given the "Big Bang" style rollout and the wholesale confusion
regarding vendor, consumer, and card issuer roles and responsibilities in the
months leading up to the October 2015 deadline for shifting fraud liabilities to
vendors.
Card issuers seem to have embraced smart payment card technologies pretty
much exclusively as a means of shifting the cost of fraud rather than as a
means of preventing it. What is overlooked by this tactic is that, as a
practical matter,
cost
shifting is not the same as
consequence
shifting. For card issuers, consequences like lost opportunities and
enormous exposure to future risks aren’t going away. Among the most
serious current issues and obstacles for chip card adoption:
- Millions of merchants invested in chip enabled payment terminal
hardware, only to discover that their vendors and service providers
could not yet support them with transaction processing software. This
left merchants out of pocket for upgrades and also fully
liable for fraudulent transaction chargebacks by card issuers. Hannah
Walker, Senior Director of Technology and Nutrition Policy at the Food
Marketing Institute, reported that one member of her trade association –
a single medium sized grocery chain – experienced $1 million in chargebacks in one week. - Organized crime operations holding large inventories of stolen card
numbers are redoubling efforts to monetize stolen IDs while it is still
relatively easy to do so. - Merchants, who have arguably been treated unfairly in the chip card
transition process, are beginning to ask some very valid questions.
One hot button example: The .5 to 2.5 percent per transaction fee
merchants pay card issuers has always been justified by banks as an
“insurance premium against card fraud.” Why should vendors still
pay it since the cost of the fraud has been shifted to them?
VISA’s Compromise for Travelers
In most locales outside the US, chip-and-signature cards are not accepted.
Travelers outside the US need to either equip themselves with true EMV
compliant chip-and-PIN cards or plan on using some other form of payment.
Cardholders, predictably, are not happy about this. In response, VISA has
recently announced a small workaround that will be somewhat helpful. In
settings outside the US where VISA-enabled payment kiosks are in use (such
as public transit fares, bike rental, airport luggage carts), VISA’s
chip-and-signature cards should work for payment. While this won’t do much
for a traveler who wants to find a place to eat, drink, shop, or sleep, it
is worth knowing.
Outlook
[return to top of this
report]
Permanent Halloween
US payment card technology is inextricably entwined with larger
issues of Internet security in a globally connected world. Online, almost
nobody outside your immediate circle of acquaintances is solely and
exactly who they appear to be; and in late 2016, it became evident that
the net can be a really bad neighborhood. In the rearview
mirror, this looks a lot like we were about one year past a tipping point.
Up until the the October 2015 deadline for chip and signature card
adoption, US card issuers had the option of following a thoroughly
understood, meticulously charted a path to EMV style payment cards
secured by two-factor cardholder identification (such as using the
card and a PIN or the card and a code sent to the user’s phone). Card
issuers would then have been able to choke off key sources of US card
fraud. They didn’t; and this came at a huge opportunity cost.
This defense – hardening the card and largely taking human behavior out
of the vulnerability equation – had a freshness date:
To wit, the point in time at which card issuers knew with a high degree of
certainty which and how many of their accounts were legitimate, real people.
We may already be past that point. Here’s why.
US card issuers currently have their largest population of customers in
twelve years. Today, there are a whopping 171 million card accounts –
fully 22 million more than 2010. This growth has largely been
driven by a willingness to issue cards to “higher risk” consumers. Note that a person can be designated as relatively “higher risk” for a lot
of reasons, including things that relate to the reliability of identity
information.
It bears remembering that the Great Recession was triggered by
reckless lending culminating in a subprime mortgage crisis. A
subprime
identity crisis
could be much worse. A tsunami of skillfully crafted
fake identities could have effects that reach far beyond the financial
system. To really appreciate the gravity of this, picture a massive
denial of service attack that targets identities.
The ability to validate a person’s identity is a cornerstone of
civilized life in the developed economies of the world.
Timeless Lessons of the 2013 Target Hack
It is deeply ironic, but mere months before the attack that reaped 40
million credit card numbers, Target fully appreciated the need for card
transaction policing. The company set out to become one of the most
secure, fraudproof retailers in the US. At a cost of $1.6 million,
Target hired security firm FireEye to install a highly sophisticated
malware detection system. FireEye’s client list includes heavyweights
like the Central Intelligence Agency and the Pentagon, so the security tools in question were gold
standard, and Target knew this.
In addition, Target employed a team of security specialists in Bangalore,
India, to monitor their networks and security diagnostics 24/7. It
paid off. Sort of. On November 30, 2013, the FireEye surveillance system
was triggered. Bangalore picked up on the alarm and immediately notified
the security team at Target corporate headquarters in Minneapolis. In
fact, between November 30th and December 2nd there
were five such security alerts. All of them were ignored by the
headquarters security team. Why?
Mostly, because of three factors:
- Target’s systems were installed and monitored by
contractors. In-house decision makers were notified of alarms not
by familiar or trusted colleagues but by people half a world away with
whom they had no effective working relationship. - Fraud detection systems are extremely complex. Deep experience and
specific, up-to-date training is required to correctly interpret the
information they report. - By default, the FireEye fraud detection system (like those of many of
its competitors) is set to disable, quarantine, or delete suspected
malware automatically. This setting had been overridden and turned off
by the headquarters team. This, unfortunately, is a common
practice.
Essentially, it was the perfect storm of “Not Invented
Here.” In-house employees didn’t trust the new systems, largely
because they didn’t really understand them. They turned off protective
default settings misguidedly believing that the fraud detection system
might disrupt other processes that they would then become responsible for
troubleshooting during a peak holiday shopping period.
To headquarters IT, alarms reported from Bangalore were simply that:
Alarms. They were ignored because they merely had the weight of warnings
to the headquarters team. Large computer systems send out streams of
warnings all day, every day. There was simply no evidence of a
problem, based on the headquarters team’s observation of
local system
status parameters.
Lessons For Enterprise Security and Back-End Payment System
Managers
- Halfway Is No Way: Either hire deeply experienced,
specialized security staff and commit to keeping their level of
preparedness and training up-to-date or outsource the entire operation
to credible, established providers. In either case, make sure the
security function directly reports to a highly qualified executive level
manager. - Audit IT Security and Physical Access Control Rigorously,
Frequently, and Unexpectedly: Initial stages of attacks
frequently involve an insider or trusted partner. Target’s data center
was reportedly cased for weeks by an imposter posing as an HVAC
contractor. - Empower Third Party Security Consultants to Make First
Responder Interventions: When surveillance systems
contractors are alerted to potential threats, empower them to make
immediate interventions. It is usually possible to interdict
suspected malware in a reversible fashion in the case that the alarm
turns out to be unfounded. Target’s security monitors raised the first
alarm several days before any card data was exfiltrated.
Recommendations
[return to top of this
report]
- International Business Travelers Need True EMV Chip-and-PIN
Technology
Travel outside the US demands true EMV chip-and-PIN payment
cards. US card issuers have been extremely opaque about this with
their customers, so don’t be misled. A chip-and-signature card that
is configured by the card issuer to support chip-and-PIN technology will
often fail in readers in Europe, South America, and Asia. - To be sure of conducting business in an uninterrupted, predictable
fashion, provide enterprise business travelers with a fully EMV
compliant cards. As of this writing, Barclays Bank offers US residents
true chip-and-PIN compliant cards for no additional fee. These cards
work reliably for travel outside the US.
Web Links
[return to top of this
report]
- Backend Payment Systems Security
FireEye: http://www.fireeye.com/ - In Depth EMV Primer
The Migration to EMV: http://www.thatsemv.com
About the Author
[return to top of this
report]
Nancy Nicolaisen is an author, researcher, and
consultant specializing in designing solutions based on small, mobile,
connected devices.
[return to top of this
report]