Best Practices for Secure Credit Card Transactions











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Best Practices for
Secure Credit Card Transactions

by Nancy Nicolaisen

Docid: 00021391

Publication Date: 1705

Report Type: TUTORIAL

Preview

The US is in the crosshairs of the world’s most active and accomplished
payment card data thieves precisely because its financial networks have
long been the easiest targets in the developed world. The
number one contributor to this vulnerability: Magnetic stripe cards for
payment and identity authentication. Now, with a US transition
under way to chip-enabled payment cards, holders of stolen credit card
data are making a concerted effort to monetize their inventories while the
window of opportunity remains open.

Report Contents:

Executive Summary

[return to top of this
report]

Thieves, particularly technologically-oriented thieves, strike where they
discover three things: An easily exploited vulnerability, low risk of
getting caught, and a potentially large payoff.

US payment card issuers provide all three of those incentives through the
continuing use of credit and debit cards that include magnetic
stripe data. This flaw constitutes more than just a risk to merchants and
card users. The entire US consumer financial network is riddled
with a structural vulnerability related to the pervasive use of weak,
obsolete magstripe payment technologies that invite ID theft and card
fraud.

By contrast, in Europe, South America, and Asia, the dominant payment
card technology (known as chip-and-PIN or EMV) is highly secure: It is
extremely resistant to counterfeiting, and a stolen card is almost always
worthless to a thief. This makes both in-person and “Card Not Present”
fraud (through online, telephone, and mail transactions) rare. EMV has
been in use since the mid-1990s and is credited for reducing card fraud by
as much as 90 percent in some locales.

This record of success notwithstanding, US card issuers have snubbed EMV
and instead mandated an incremental migration to chip-based cards using a
security model called “chip-and-signature.” Chip-and-signature cards will

still carry magnetic stripe data

, are much less secure than EMV
cards if they are lost or stolen, and aren’t useful for travel outside the
US.

One year in, merchants and card holders have suffered the brunt of huge
spikes in card-not-present, account takeover, and new account creation
fraud. At the end of 2016, 64 percent of vendors had not fully implemented chip
and signature payment terminals. Merchants cited reasons relating to cost,
erratic performance and inability to integrate them with backend payment
systems. As of October 2015, US card issuers unilaterally shifted in-person
fraud liability to retail vendors if they had not installed chip and
signature terminals. Even in the face of this heavy-handed shove,
broad chip and signature adoption remains stalled.

Description

[return to top of this
report]

A Perfect Storm of Sophisticated Criminal Networks, Weak
Technology, and Short Term Thinking

In 2016, identity fraud reached a 13 year peak. According to Javelin
Strategy and Research, more than 15 million consumers were defrauded at
an estimated cost of $13 billion USD. Card fraud was the key driver.

Credit card fraud is the quintessential crime of opportunity, and
criminals are looking for three things, specifically, when they evaluate a
target:

  1. Easily exploited vulnerability.
  2. Low risk of getting caught.
  3. Potentially large payoffs.

As concerns the first item, US card based payment systems are
really nothing more than antiquated, single purpose, networked computer
systems. They typically include numerous components under the control of
many different service providers. The number of potential points of
weakness is
vast. It’s a scenario that dramatically reduces the likelihood of
hackers being detected, let alone caught. And with a 2016 paycheck
of around $16 billion, there is no doubt anywhere that this is a rich
opportunity.


Mounting a Defense Against Card Fraud
and ID Theft

Defending against any type of hacking is really a matter of identifying
weaknesses and hardening them before they can be exploited. This textbook definition of computer security vulnerability defines
the problem:

A computer system vulnerability is the confluence of three things: A
system weakness or flaw; an attacker’s access to tools, systems, or
people that will aid in exploitation of the flaw; and a means by which
to make contact with infected systems after the exploitation mechanism
is in place.

Thus, in the case of payment card fraud, there are three categories of
vulnerabilities which must be addressed:

  • The insecurity inherent in the card.
  • The behavior of the card owner.
  • The chain of custody of card transaction data.

Far and away the easiest place to start eliminating vulnerabilities is with
the card.

Advanced Card Technologies
Nearly all of the payment cards issued in the EU and most issued
in Asia use an authentication system called chip-and-PIN, or EMV.
EMV was developed by collaborators Europay, MasterCard, and Visa and is
the de facto global payment technology standard. It has been
ubiquitous outside the US since the mid-1990’s.

EMV cards embed a single-chip computer that stores a biometric
identifier, passwords, data, and apps. It requires no battery because
an EMV card is powered by the reader. The card’s data and apps can’t be
accessed until both cardholder and reader are identified and validated as
legitimate. Conceptually, EMV cards secure an in-person transaction this
way:

  • The card owner initiates a payment transaction by placing the EMV card
    near the vendor’s EMV card reader.
  • The reader powers up the EMV card’s microprocessor.
  • The EMV card prompts the user to enter a personal identification code
    (PIN) on the reader’s key pad.
  • The reader feeds the PIN back to the EMV card.
  • The EMV card uses onboard software to compare the PIN to an encrypted,
    stored copy of the user’s PIN.
  • If the two match, the user is authenticated and the payment
    transaction can proceed.

This technology was pioneered in France and has been widely deployed
there since 1996. It is credited with cutting in-person credit card fraud
in France by well over 90 percent. EMV payment cards are unappealing to
thieves as they are worthless without the PIN and will lock themselves
after three consecutive incorrect PIN inputs. EU consumers generally
perceive the benefits of theft-proof payment cards to be well worth the
effort of remembering and entering PINs; and, for convenience, some low
value transactions (e.g. transit fares) are exempted from PIN validation.
If cardholders guard the privacy of PINs, EMV based cards largely take the
“human behavior” security threat out of play. Losing a card may be
inconvenient but poses little financial risk to cardholder, issuer, or
vendor.

In the US, by contrast, significant problems with both cards and people
create serious exposure to card fraud.

Why Magnetic Stripe Payment Cards Are Doomed
One of the defining design features of magnetic stripe payment
cards is that they are fast, easy, and cheap to manufacture. That is
certainly part of why the US financial industry is so tenaciously enamored with
them: In bulk, they can be produced for a few pennies each, while
chip enabled cards cost a bit more than $1 USD to manufacture.

Anyone can create a magnetic stripe card.

Magnetic stripe card
writers sell on eBay for less than $150 USD, complete with accessory kit,
no questions asked.

It would be tedious to enumerate all of the ID theft and card fraud
headlines of the past 18 months, but if there is one definite takeaway, it
is that US payment cards are insecure and this harms consumers and businesses of every scale.

There is irrefutable evidence of robust trade in stolen credit
US data. It is routinely exported, aggregated, and distributed
for sale on Web sites registered in Russia, Somalia, Laos, and
elsewhere. Wholesalers are very sophisticated. They typically sort
and aggregate card numbers by address, right down to the zip code because
card counterfeiters prefer card data sourced from their own
localities. To further build loyalty, sellers offer purchasers a six
hour exchange guarantee – more than enough time for counterfeiters to
print and test cards. This is an efficient, thriving, entrenched industry, and
it is centered in some of the most lawless countries on the
planet. Interdiction is not a realistic possibility.

Current View

[return to top of this
report]

A Rocky Rollout for US Chip Card Payment Technology

When US card issuers unveiled their plan for chip and
signature based cards, their sales pitch to merchants and consumers was
that they would see an immediate drop in card fraud. One year in, the
numbers are published and they don’t look good. Identity theft rose
by more than 16 percent in 2016, costing individual consumers $16 billion USD,
a new high. Card-not-present fraud (as in phone and online
purchasing) rose by 40 percent, account takeovers were up by better than 60
percent, and
fraudulent account creation was up by 40 percent. The breadth and
sophistication of this surging criminal activity says a lot about the
adversaries US card issuers face. If it was their intent to bring the
entire system down, they could probably do it.

Chip-enabled card adoption is badly stalled in the US. About 64 percent of
merchants haven’t yet installed chip compatible point of sale payment
terminals,
but they only accounted for half of all in-person
credit card fraud.

Many merchants that bought and installed the new
terminal equipment have been unable implement it. Perhaps this shouldn’t be
surprising given the "Big Bang" style rollout and the wholesale confusion
regarding vendor, consumer, and card issuer roles and responsibilities in the
months leading up to the October 2015 deadline for shifting fraud liabilities to
vendors.

Card issuers seem to have embraced smart payment card technologies pretty
much exclusively as a means of shifting the cost of fraud rather than as a
means of preventing it. What is overlooked by this tactic is that, as a
practical matter,
cost

shifting is not the same as
consequence

shifting. For card issuers, consequences like lost opportunities and
enormous exposure to future risks aren’t going away. Among the most
serious current issues and obstacles for chip card adoption:

  • Millions of merchants invested in chip enabled payment terminal
    hardware, only to discover that their vendors and service providers
    could not yet support them with transaction processing software. This
    left merchants out of pocket for upgrades and also fully
    liable for fraudulent transaction chargebacks by card issuers. Hannah
    Walker, Senior Director of Technology and Nutrition Policy at the Food
    Marketing Institute, reported that one member of her trade association –
    a single medium sized grocery chain – experienced $1 million in chargebacks in one week.
  • Organized crime operations holding large inventories of stolen card
    numbers are redoubling efforts to monetize stolen IDs while it is still
    relatively easy to do so.
  • Merchants, who have arguably been treated unfairly in the chip card
    transition process, are beginning to ask some very valid questions.
    One hot button example: The .5 to 2.5 percent per transaction fee
    merchants pay card issuers has always been justified by banks as an
    “insurance premium against card fraud.” Why should vendors still
    pay it since the cost of the fraud has been shifted to them?

VISA’s Compromise for Travelers
In most locales outside the US, chip-and-signature cards are not accepted.
Travelers outside the US need to either equip themselves with true EMV
compliant chip-and-PIN cards or plan on using some other form of payment.
Cardholders, predictably, are not happy about this. In response, VISA has
recently announced a small workaround that will be somewhat helpful. In
settings outside the US where VISA-enabled payment kiosks are in use (such
as public transit fares, bike rental, airport luggage carts), VISA’s
chip-and-signature cards should work for payment. While this won’t do much
for a traveler who wants to find a place to eat, drink, shop, or sleep, it
is worth knowing.

Outlook

[return to top of this
report]

Permanent Halloween

 US payment card technology is inextricably entwined with larger
issues of Internet security in a globally connected world. Online, almost
nobody outside your immediate circle of acquaintances is solely and
exactly who they appear to be; and in late 2016, it became evident that
the net can be a really bad neighborhood. In the rearview
mirror, this looks a lot like we were about one year past a tipping point.

Up until the the October 2015 deadline for chip and signature card
adoption, US card issuers had the option of following a thoroughly
understood, meticulously charted a path to EMV style payment cards
secured by two-factor cardholder identification (such as using the
card and a PIN or the card and a code sent to the user’s phone). Card
issuers would then have been able to choke off key sources of US card
fraud. They didn’t; and this came at a huge opportunity cost.

This defense – hardening the card and largely taking human behavior out
of the vulnerability equation – had a freshness date:
To wit, the point in time at which card issuers knew with a high degree of
certainty which and how many of their accounts were legitimate, real people.

We may already be past that point. Here’s why.

US card issuers currently have their largest population of customers in
twelve years. Today, there are a whopping 171 million card accounts –
fully 22 million more than 2010. This growth has largely been
driven by a willingness to issue cards to “higher risk” consumers. Note that a person can be designated as relatively “higher risk” for a lot
of reasons, including things that relate to the reliability of identity
information.

It bears remembering that the Great Recession was triggered by
reckless lending culminating in a subprime mortgage crisis. A
subprime
identity crisis

could be much worse. A tsunami of skillfully crafted
fake identities could have effects that reach far beyond the financial
system. To really appreciate the gravity of this, picture a massive
denial of service attack that targets identities.


  • The ability to validate a person’s identity is a cornerstone of
    civilized life in the developed economies of the world.

Timeless Lessons of the 2013 Target Hack
It is deeply ironic, but mere months before the attack that reaped 40
million credit card numbers, Target fully appreciated the need for card
transaction policing. The company set out to become one of the most
secure, fraudproof retailers in the US. At a cost of $1.6 million,
Target hired security firm FireEye to install a highly sophisticated
malware detection system. FireEye’s client list includes heavyweights
like the Central Intelligence Agency and the Pentagon, so the security tools in question were gold
standard, and Target knew this.

In addition, Target employed a team of security specialists in Bangalore,
India, to monitor their networks and security diagnostics 24/7. It
paid off. Sort of. On November 30, 2013, the FireEye surveillance system
was triggered. Bangalore picked up on the alarm and immediately notified
the security team at Target corporate headquarters in Minneapolis. In
fact, between November 30th and December 2nd there
were five such security alerts. All of them were ignored by the
headquarters security team. Why?

Mostly, because of three factors:

  • Target’s systems were installed and monitored by
    contractors. In-house decision makers were notified of alarms not
    by familiar or trusted colleagues but by people half a world away with
    whom they had no effective working relationship.
  • Fraud detection systems are extremely complex. Deep experience and
    specific, up-to-date training is required to correctly interpret the
    information they report.
  • By default, the FireEye fraud detection system (like those of many of
    its competitors) is set to disable, quarantine, or delete suspected
    malware automatically. This setting had been overridden and turned off
    by the headquarters team. This, unfortunately, is a common
    practice.

Essentially, it was the perfect storm of “Not Invented
Here.” In-house employees didn’t trust the new systems, largely
because they didn’t really understand them. They turned off protective
default settings misguidedly believing that the fraud detection system
might disrupt other processes that they would then become responsible for
troubleshooting during a peak holiday shopping period.

To headquarters IT, alarms reported from Bangalore were simply that:
Alarms. They were ignored because they merely had the weight of warnings
to the headquarters team. Large computer systems send out streams of
warnings all day, every day. There was simply no evidence of a
problem, based on the headquarters team’s observation of
local system
status parameters.

Lessons For Enterprise Security and Back-End Payment System
Managers

  • Halfway Is No Way: Either hire deeply experienced,
    specialized security staff and commit to keeping their level of
    preparedness and training up-to-date or outsource the entire operation
    to credible, established providers. In either case, make sure the
    security function directly reports to a highly qualified executive level
    manager.
  • Audit IT Security and Physical Access Control Rigorously,
    Frequently, and Unexpectedly:
    Initial stages of attacks
    frequently involve an insider or trusted partner. Target’s data center
    was reportedly cased for weeks by an imposter posing as an HVAC
    contractor.
  • Empower Third Party Security Consultants to Make First
    Responder Interventions:
    When surveillance systems
    contractors are alerted to potential threats, empower them to make
    immediate interventions. It is usually possible to interdict
    suspected malware in a reversible fashion in the case that the alarm
    turns out to be unfounded. Target’s security monitors raised the first
    alarm several days before any card data was exfiltrated.

Recommendations

[return to top of this
report]

  • International Business Travelers Need True EMV Chip-and-PIN
    Technology
    Travel outside the US demands true EMV chip-and-PIN payment
    cards. US card issuers have been extremely opaque about this with
    their customers, so don’t be misled. A chip-and-signature card that
    is configured by the card issuer to support chip-and-PIN technology will
    often fail in readers in Europe, South America, and Asia.
  • To be sure of conducting business in an uninterrupted, predictable
    fashion, provide enterprise business travelers with a fully EMV
    compliant cards. As of this writing, Barclays Bank offers US residents
    true chip-and-PIN compliant cards for no additional fee. These cards
    work reliably for travel outside the US.

[return to top of this
report]

About the Author

[return to top of this
report]

Nancy Nicolaisen is an author, researcher, and
consultant specializing in designing solutions based on small, mobile,
connected devices.

[return to top of this
report]