Why we need penetration testing in a post EMV world
With around a month until the official date for the infamous liability shift in the US, the official go-live for the EMV standard, or Chip and PIN, it’s looking like we are not entirely prepared.
According to this recent Banking Exchange survey, a bit over half of the respondents reported that they want to push back the date to give them more time to prepare for the shift. As we are delayed and projects are rushed, some security elements of the project may not be given enough attention, or others are dropped to streamline the project.
It’s most likely in these places that we start to see some security gaps emerge, and recently, we’ve seen some of them exploited in new ways, specifically in EMV, the trusted technology that should minimize our card fraud problems. So, if EMV is such a great thing for the rest of the world, how are we getting it so wrong that new attacks are still forthcoming, and what do we do about it?
Consider the PenTest, or Penetration test—a security gap-detection method that attempts to “hack” into a given target using the usual techniques employed by the black hats (or nefarious attackers, think of a cartoon villain with a long curly moustache). They use any means at their disposal; social engineering, brute force, malware, phishing, waterhole, you name it, and they’re good at it.
Pentesters are the security guys who put on the white or, if necessary, the grey-hat… somewhere between the clean-hands good guy and the place where the techniques used are known to be malicious. Pentesters may employ most of these same methods to achieve the same end, but under one’s discreet permission to do so.
Consider the attack used. Someone breaches a merchant’s POS terminal, hoovers the card numbers out and creates counterfeits, typically. EMV can stop this process by injecting itself into the kill-chain early on, and making some data one-time-use only IF all controls are on point. When they are not, if say a verification step on a single data element is not performed (which is performed at a processor), then the whole thing becomes vulnerable to repeated attacks of the same technique over a weekend. Then we have a sizable problem.
Consider the role of the Pentester, to examine the environment, understand some of the weaknesses and then exploit them in the wild. This can be done using the same techniques the fraudsters use, or in a more controlled way, to discover the potential for abuse in the real world. The more realistic the scenario (actually purchasing compromised cards, phishing employees, testing for access gaps that are internet facing) in attempting to identify a path to pseudo-financial gain for the Pentester, the more likely the findings are to be valid.
Now consider performing penetration testing in the real world in our roles as fraud managers. We could request vendors and consultants to design experiments, surf the darkweb (internet underground) for intel on current fraudster methodologies and then prove the gap (under explicit permission from Directors) as exploitable to make the case that we have either a clean bill of health, or that there are indeed gaps that exist that we must cover.
In some of my discussions with security peers, we’ve identified that this is a real marketplace need and value. However, it is controversial and provocative and may not sit well with many managers…I get that. It’s not for everyone.
Let me be clear, I’ve never put a counterfeit card in front of a point of sale; I’ve never attempted to take over an account, but knowing the steps necessary to do so is what may help design a more valid experiment. I certainly don’t want to condone clandestine work to isolate gaps without explicit permission. And I’m certainly not opening shop next week… but having a third party entity—with the knowledge to execute this testing—may be a shrewd way to ensure that your systems are indeed secure, potentially saving immeasurable losses from occurring.
So, if the stars aligned and a progressive prospect with the right security culture made the request, I might give it a go. With a white hat on and a nearly trimmed beard.
Related Blog Posts
Success Speaks: Surprising New Ways Students Want to Pay
Colleges and universities are facing the dual tasks of accommodating not only new payment methods, but also a new generation of students, Gen Z, whose expectations differ greatly from even millennials. How can higher education institutions meet these demands?
In our latest Success Speaks webinar, experts from Temple University, FutureCast, ACI and MTFX Group of Companies explored today’s payments landscape for colleges and universities, payment desires of Gen Z, innovations the higher education sector is already implementing and how schools can better assist with international payments.
Women Must Choose to Rise Up Despite Past, Current and Future Circumstances
Money20/20, Europe’s biggest payments and fintech event, was recently held in Amsterdam and featured Rise Up Money20/20, a global program designed to address the gender imbalance in leadership positions within the financial services and fintech industries. A cohort of 30 female professionals was selected to take part in an exclusive curated agenda, complete with a series of bespoke content sessions, one-to-one mentoring and unique networking opportunities.
Beyond Borders: Navigating the Challenges of eCommerce Expansion
eCommerce continues to flourish, with impressive growth figures year after year. In 2018, global online sales reached almost $3 trillion, and are expected to hit $4 trillion by the end of 2020.
Despite eCommerce taking an increasing slice of the retail pie (which could now be as high as 15 percent according to recent figures), it is increasingly challenging, with competition and cost pressures creating significant issues for merchants of all sizes.
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Why Banks Must Democratize Machine Learning for Fraud Prevention and Payments Intelligence
Banks are already actively on the path to digital transformation, considering new technologies, new customer experiences and new business models. A critical piece of this digital transformation centers on better understanding the wealth of data within the banks’ systems and mining it for improved customer insight. In the New Payments Ecosystem, data is as valuable to the bank and its customers as the deposits held in their accounts, and it should be protected, and leveraged for the benefit of the customer.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.