Why we need penetration testing in a post EMV world
With around a month until the official date for the infamous liability shift in the US, the official go-live for the EMV standard, or Chip and PIN, it’s looking like we are not entirely prepared.
According to this recent Banking Exchange survey, a bit over half of the respondents reported that they want to push back the date to give them more time to prepare for the shift. As we are delayed and projects are rushed, some security elements of the project may not be given enough attention, or others are dropped to streamline the project.
It’s most likely in these places that we start to see some security gaps emerge, and recently, we’ve seen some of them exploited in new ways, specifically in EMV, the trusted technology that should minimize our card fraud problems. So, if EMV is such a great thing for the rest of the world, how are we getting it so wrong that new attacks are still forthcoming, and what do we do about it?
Consider the PenTest, or Penetration test—a security gap-detection method that attempts to “hack” into a given target using the usual techniques employed by the black hats (or nefarious attackers, think of a cartoon villain with a long curly moustache). They use any means at their disposal; social engineering, brute force, malware, phishing, waterhole, you name it, and they’re good at it.
Pentesters are the security guys who put on the white or, if necessary, the grey-hat… somewhere between the clean-hands good guy and the place where the techniques used are known to be malicious. Pentesters may employ most of these same methods to achieve the same end, but under one’s discreet permission to do so.
Consider the attack used. Someone breaches a merchant’s POS terminal, hoovers the card numbers out and creates counterfeits, typically. EMV can stop this process by injecting itself into the kill-chain early on, and making some data one-time-use only IF all controls are on point. When they are not, if say a verification step on a single data element is not performed (which is performed at a processor), then the whole thing becomes vulnerable to repeated attacks of the same technique over a weekend. Then we have a sizable problem.
Consider the role of the Pentester, to examine the environment, understand some of the weaknesses and then exploit them in the wild. This can be done using the same techniques the fraudsters use, or in a more controlled way, to discover the potential for abuse in the real world. The more realistic the scenario (actually purchasing compromised cards, phishing employees, testing for access gaps that are internet facing) in attempting to identify a path to pseudo-financial gain for the Pentester, the more likely the findings are to be valid.
Now consider performing penetration testing in the real world in our roles as fraud managers. We could request vendors and consultants to design experiments, surf the darkweb (internet underground) for intel on current fraudster methodologies and then prove the gap (under explicit permission from Directors) as exploitable to make the case that we have either a clean bill of health, or that there are indeed gaps that exist that we must cover.
In some of my discussions with security peers, we’ve identified that this is a real marketplace need and value. However, it is controversial and provocative and may not sit well with many managers…I get that. It’s not for everyone.
Let me be clear, I’ve never put a counterfeit card in front of a point of sale; I’ve never attempted to take over an account, but knowing the steps necessary to do so is what may help design a more valid experiment. I certainly don’t want to condone clandestine work to isolate gaps without explicit permission. And I’m certainly not opening shop next week… but having a third party entity—with the knowledge to execute this testing—may be a shrewd way to ensure that your systems are indeed secure, potentially saving immeasurable losses from occurring.
So, if the stars aligned and a progressive prospect with the right security culture made the request, I might give it a go. With a white hat on and a nearly trimmed beard.
Related Blog Posts
Defense in Depth: Fighting Fraud in India with a Multi-Layered Approach
There’s a quip, albeit ironic, making the rounds as forwarded emails and messages – “Who’s driving digital transformation among enterprises: CEO or CIO? The correct answer is COVID-19.” Going beyond impacting global well-being, COVID-19 is pushing the corporate world to rapidly introduce new measures for business continuity. Diametrically opposite to continuity, the black swan event of the novel coronavirus is creating disruption in terms of exploitation and fraud perpetration – especially in the banking and financial sector.
Introducing Incremental Learning: An Industry-First Boost for Fraud Prevention
In our previous blog on machine learning, we sought to clarify its role in fraud prevention for merchants. To summarize, it can be an extremely effective way to identify patterns of fraud in a manner and at a speed that humans cannot. It is a critical tool in the fight against fraud, especially when used as part of a multi-layered fraud solution.
Machine Learning: Separating Fact from Fraud Fiction for Merchants
Machine learning is a broad discipline about which many claims, sometimes extravagant, are made. In recent years, it has often been hailed as the most effective answer to stopping payments fraud.
At ACI, we’ve been working with machine learning models to prevent fraud for over two decades – and we know they can play a critical role in improving fraud detection accuracy. Here we bring together a few insights on how models can be used most effectively.
For Financial Institutions, Community Is Critical to Fighting Fraud with Machine Learning
In November 2019, our experts predicted that democratized machine learning and shared intelligence would be among the most important fraud prevention trends for financial institutions (FIs) in 2020.
Fraud Prevention Is the Frontline of Customer Experience
Digital transformation has done more than disrupt business models. In almost every consumer-focused market – and most business-to-business ones, too – it has fundamentally re-oriented the competitive landscape around customer experience as a core differentiator.
SCA: How PSPs Can Help Merchants Stay One Step Ahead
The main objective of PSD2’s Strong Customer Authentication (SCA) is to protect customers and reduce fraud by introducing new measures that ensure that customer-initiated transactions are being made by the genuine cardholder.
The EMV Deadline Has Been Extended for U.S. Fuel Merchants – Now What?
U.S. fuel stations were originally supposed to be EMV-compliant by October 2017, but due to complications and costs at the time, the deadline for EMV at the pump was extended for three years – and it has now been pushed out further to April 2021 due to the COVID-19 pandemic.
Merchant Fraud in the Age of COVID-19: We Need to Prepare Ourselves for a “Tidal Wave” of Attacks
With millions of consumers around the world self-quarantining at home, online shopping for goods, services and entertainment has become the new normal for many. A recent analysis of our own data has shown that average transaction volumes in the retail sector in March rose 74 percent compared to the same period last year.
Predicciones de fraude para el 2020: Qué esperar con la rápida evolución del panorama de pagos en América Latina
La industria de pagos en América Latina está experimentando diversos cambios en varios segmentos a medida que la población de la región está cada vez más bancarizada y comienza a usar pagos electrónicos. Aunque el efectivo sigue siendo la forma de pago dominante, los gobiernos han impulsado los pagos electrónicos a través de la regulación. Esto ha asegurado que la aceptación y el crecimiento del pago con tarjeta hayan aumentado constantemente, han aparecido bancos digitales en diferentes países y el comercio electrónico ha aumentado significativamente.
Previsões para fraudes em 2020: O que esperar com o cenário de pagamentos em rápida evolução na América Latina
As violações de dados que envolvem dados de pagamento dobraram no ano passado por várias razões - falta de inovação em segurança, prioridades corporativas equivocadas e fraquezas nos portais de desenvolvedores, para citar alguns.