Why we need penetration testing in a post EMV world
With around a month until the official date for the infamous liability shift in the US, the official go-live for the EMV standard, or Chip and PIN, it’s looking like we are not entirely prepared.
According to this recent Banking Exchange survey, a bit over half of the respondents reported that they want to push back the date to give them more time to prepare for the shift. As we are delayed and projects are rushed, some security elements of the project may not be given enough attention, or others are dropped to streamline the project.
It’s most likely in these places that we start to see some security gaps emerge, and recently, we’ve seen some of them exploited in new ways, specifically in EMV, the trusted technology that should minimize our card fraud problems. So, if EMV is such a great thing for the rest of the world, how are we getting it so wrong that new attacks are still forthcoming, and what do we do about it?
Consider the PenTest, or Penetration test—a security gap-detection method that attempts to “hack” into a given target using the usual techniques employed by the black hats (or nefarious attackers, think of a cartoon villain with a long curly moustache). They use any means at their disposal; social engineering, brute force, malware, phishing, waterhole, you name it, and they’re good at it.
Pentesters are the security guys who put on the white or, if necessary, the grey-hat… somewhere between the clean-hands good guy and the place where the techniques used are known to be malicious. Pentesters may employ most of these same methods to achieve the same end, but under one’s discreet permission to do so.
Consider the attack used. Someone breaches a merchant’s POS terminal, hoovers the card numbers out and creates counterfeits, typically. EMV can stop this process by injecting itself into the kill-chain early on, and making some data one-time-use only IF all controls are on point. When they are not, if say a verification step on a single data element is not performed (which is performed at a processor), then the whole thing becomes vulnerable to repeated attacks of the same technique over a weekend. Then we have a sizable problem.
Consider the role of the Pentester, to examine the environment, understand some of the weaknesses and then exploit them in the wild. This can be done using the same techniques the fraudsters use, or in a more controlled way, to discover the potential for abuse in the real world. The more realistic the scenario (actually purchasing compromised cards, phishing employees, testing for access gaps that are internet facing) in attempting to identify a path to pseudo-financial gain for the Pentester, the more likely the findings are to be valid.
Now consider performing penetration testing in the real world in our roles as fraud managers. We could request vendors and consultants to design experiments, surf the darkweb (internet underground) for intel on current fraudster methodologies and then prove the gap (under explicit permission from Directors) as exploitable to make the case that we have either a clean bill of health, or that there are indeed gaps that exist that we must cover.
In some of my discussions with security peers, we’ve identified that this is a real marketplace need and value. However, it is controversial and provocative and may not sit well with many managers…I get that. It’s not for everyone.
Let me be clear, I’ve never put a counterfeit card in front of a point of sale; I’ve never attempted to take over an account, but knowing the steps necessary to do so is what may help design a more valid experiment. I certainly don’t want to condone clandestine work to isolate gaps without explicit permission. And I’m certainly not opening shop next week… but having a third party entity—with the knowledge to execute this testing—may be a shrewd way to ensure that your systems are indeed secure, potentially saving immeasurable losses from occurring.
So, if the stars aligned and a progressive prospect with the right security culture made the request, I might give it a go. With a white hat on and a nearly trimmed beard.
Related Blog Posts
Strong Customer Authentication in Australia: Reducing CNP Fraud and Streamlining eCommerce Payments
Minimizing fraud without harming the customer experience can be done – using the right tools
In 2017-18, card-not-present (CNP) fraud cost Australian eCommerce AUD $478 million and accounted for some 85 percent of all fraud on Australian-issued cards1. In 2016, CNP fraud in Europe represented 70% of all card fraud2. Seriously uncomfortable numbers.
2020 Fraud Predictions: What to Expect Across the Globe as Cybercrime Evolves
As we near the end of 2019, our payment experts have begun to take stock of the trends over the last year, and make their predictions for where they see the industry heading in 2020.
I sat down with our own fraud experts, Marc Trepanier, principal fraud consultant for North America, and Giselle Lindley, principal fraud consultant for APAC, to get their thoughts on what we can expect in the year ahead around payments fraud.
Real-Time Payments Hits its Stride in the U.S.
The recent announcement of FedNow in the U.S., the launch of cross-border services like SWIFT gpi, and multiple real-time payment systems including The Clearing House’s (TCH) RTP system and Zelle underline the fact that real-time payments are here to stay. The need to deliver real-time payment services to customers has never been more pressing for banks, credit unions, processors, acquirers and fintechs. However, the U.S. payments ecosystem – and its infrastructure – must keep pace with global markets to remain competitive, and interoperability between real-time payment systems will be key.
Strong Customer Authentication under PSD2: Consumer Education Will Be Crucial to Success
The European Banking Authority (EBA) has finally provided the promised update on SCA supervisory flexibility timelines – with a new hard deadline for migration completion of December 31, 2020. According to the new guidelines, migration plans of PSPs – including the implementation and testing by merchants – should be completed by that date, otherwise all players could face serious penalties for non-compliance.
Deep Dive: Latin American Fintech Market (Part 2)
To support fintechs’ development and create a more inclusive financial system, governments across the Latin American region should adopt different regulations. Some good practices implemented in other countries, like the U.K. or Singapore, could also be adopted in Latin America, such as temporary exemptions on fintech authorizations on behalf of regulating entities, or the creation of temporary regulation sandboxes in which fintechs can operate, evaluate their business models and offer their innovative products in supervised environments.
Women in Payments: “Make Failure Your Fuel”
ACI’s Darcy Locke, new business development principal, was recently appointed Chair of the American Financial Services Association (AFSA), Business Partner Board. During her two-year term, Darcy will preside over the AFSA Business Partner Board meetings, and concurrently serve as a member of the AFSA Board of Directors and Chair of the AFSA Business Partner Task Force.
Deep Dive: Latin American Fintech Market (Part 1)
There is a gap between what financial institutions currently offer versus what today´s customers want in Latin America, and this is where fintechs are earning a reputation for customer-centricity, personalization, quick response and seamless delivery. The relationship between fintechs and traditional financial institutions in Latin America has evolved from competition to collaboration, with the aim of efficiently working together and effectively scaling innovation, while also driving financial inclusion for the underbanked.
From API to AI to I: Banking Tech Gets Personal
Tired feet. Running out of business cards. Countless LinkedIn connections – sound familiar? This time of the year is conference season; the annual SIBOS (SWIFT) and Money20/20 USA gatherings spanning the autumn give attendees plenty of hot topics and talking points. My American colleagues refer to this season as “the fall.” I trust this to be an observation on leaves and fruit rather than a sequitur on the state of the fintech industry. Either way, it’s a good time to harvest, to take stock and to work out what we should be doing with the apparent abundance of innovative produce.
India’s Unified Payments Interface: Breaking the Billion Barrier
September brought about quite a stir in the Indian payments ecosystem, with three years passing since the launch of UPI (Unified Payments Interface), and the realization that UPI is closing in on a significant milestone: one billion transactions per month. In September 2019, UPI clocked 955 million transactions, amounting to 1.61 trillion rupees (INR), demonstrating the extent to which Indian consumers have exuberantly welcomed real-time payments.
The Need for Financial Inclusion in Developing Countries
The payments ecosystem globally is changing – and the idea of financial inclusion is increasingly featuring as part of long-term strategy. At a glance, financial inclusion means that people and businesses have access to important financial products, services and data, such as transactions, credit cards, payments, savings and insurance, and that these are delivered in a sustainable way. The challenge for banks lies in being more inclusive and meeting social needs, while remaining profitable and increasing market share.