Why we need penetration testing in a post EMV world
With around a month until the official date for the infamous liability shift in the US, the official go-live for the EMV standard, or Chip and PIN, it’s looking like we are not entirely prepared.
According to this recent Banking Exchange survey, a bit over half of the respondents reported that they want to push back the date to give them more time to prepare for the shift. As we are delayed and projects are rushed, some security elements of the project may not be given enough attention, or others are dropped to streamline the project.
It’s most likely in these places that we start to see some security gaps emerge, and recently, we’ve seen some of them exploited in new ways, specifically in EMV, the trusted technology that should minimize our card fraud problems. So, if EMV is such a great thing for the rest of the world, how are we getting it so wrong that new attacks are still forthcoming, and what do we do about it?
Consider the PenTest, or Penetration test—a security gap-detection method that attempts to “hack” into a given target using the usual techniques employed by the black hats (or nefarious attackers, think of a cartoon villain with a long curly moustache). They use any means at their disposal; social engineering, brute force, malware, phishing, waterhole, you name it, and they’re good at it.
Pentesters are the security guys who put on the white or, if necessary, the grey-hat… somewhere between the clean-hands good guy and the place where the techniques used are known to be malicious. Pentesters may employ most of these same methods to achieve the same end, but under one’s discreet permission to do so.
Consider the attack used. Someone breaches a merchant’s POS terminal, hoovers the card numbers out and creates counterfeits, typically. EMV can stop this process by injecting itself into the kill-chain early on, and making some data one-time-use only IF all controls are on point. When they are not, if say a verification step on a single data element is not performed (which is performed at a processor), then the whole thing becomes vulnerable to repeated attacks of the same technique over a weekend. Then we have a sizable problem.
Consider the role of the Pentester, to examine the environment, understand some of the weaknesses and then exploit them in the wild. This can be done using the same techniques the fraudsters use, or in a more controlled way, to discover the potential for abuse in the real world. The more realistic the scenario (actually purchasing compromised cards, phishing employees, testing for access gaps that are internet facing) in attempting to identify a path to pseudo-financial gain for the Pentester, the more likely the findings are to be valid.
Now consider performing penetration testing in the real world in our roles as fraud managers. We could request vendors and consultants to design experiments, surf the darkweb (internet underground) for intel on current fraudster methodologies and then prove the gap (under explicit permission from Directors) as exploitable to make the case that we have either a clean bill of health, or that there are indeed gaps that exist that we must cover.
In some of my discussions with security peers, we’ve identified that this is a real marketplace need and value. However, it is controversial and provocative and may not sit well with many managers…I get that. It’s not for everyone.
Let me be clear, I’ve never put a counterfeit card in front of a point of sale; I’ve never attempted to take over an account, but knowing the steps necessary to do so is what may help design a more valid experiment. I certainly don’t want to condone clandestine work to isolate gaps without explicit permission. And I’m certainly not opening shop next week… but having a third party entity—with the knowledge to execute this testing—may be a shrewd way to ensure that your systems are indeed secure, potentially saving immeasurable losses from occurring.
So, if the stars aligned and a progressive prospect with the right security culture made the request, I might give it a go. With a white hat on and a nearly trimmed beard.
Related Blog Posts
Multi-layered Fraud Strategies are Crucial to Win the Battle against Authorized Push Payment Fraud
This blog was co-authored by ACI’s Jay Floyd and Iain Swaine, head of Cyber Strategy for BioCatch in the EMEA region
Have you ever received a text from your bank asking you to confirm a transaction by replying Yes or No? You then realise you don’t recognize the transaction, reply No, and receive another text instructing you to call a telephone number to discuss this unknown payment further. Suddenly you’re hit with the fear that someone has hacked into your bank account. But, do you ever consider that the text you received was, in fact, a scam?
Helping Merchants Protect Themselves: Cybersecurity Tips from a Former White House CIO
In a world full of open technology, the devices that make our lives easier also leave us vulnerable to being hacked, according to Theresa Payton, former White House CIO and star of the CBS series Hunted. Payton recently joined me for an exclusive ACI cybersecurity webinar, sharing expert insights into how merchants can enable growth, enhance the customer experience and prevent greater instances of fraud.
Why India's Payments Players Need to Fight Fraud with Machine Learning
By 2023, experts are predicting 60 billion UPI (Unified Payments Interface) transactions annually, accounting for more than 50 percent of India’s total digital payments transactions. And it’s estimated that today nearly 50 percent of all real-time payment (RTP) transactions globally are processed in India. It’s an exciting market for payments innovation, with a wide range of digital overlay services available to consumers and merchants, thanks to the introduction of UPI.
The Untapped Opportunity of Machine Learning for Real-Time Payments Fraud Prevention
Artificial Intelligence (AI) is among the buzzwords of the moment, but when it comes to tangible innovations that have the potential to drive rapid ROI, machine learning should be part of every bank or processor’s strategy. No matter the size of the institution.
How Banks and Acquirers Can Deliver on the Benefits of PSD2 SCA Exemptions and Differentiate Their Merchant Services
PSD2 is an opportunity for acquirers to differentiate themselves by delivering improved services to their merchants, if they implement modern solutions to manage SCA exemptions. This will drive the best customer experience in combination with regulatory compliance.
Cooperation, Consultation and Collaboration Are the Keys to Countering CNP Fraud in Australia
As Europe, and other parts of the world ramp up for regulatory changes around PSD2, Australia is about to launch its own strategy to combat Card Not Present (CNP) fraud.
PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
Why Banks Must Democratize Machine Learning for Fraud Prevention and Payments Intelligence
Banks are already actively on the path to digital transformation, considering new technologies, new customer experiences and new business models. A critical piece of this digital transformation centers on better understanding the wealth of data within the banks’ systems and mining it for improved customer insight. In the New Payments Ecosystem, data is as valuable to the bank and its customers as the deposits held in their accounts, and it should be protected, and leveraged for the benefit of the customer.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Building Trust in Open Banking with Behavioral Biometrics and Machine Learning
Strategies for fraud prevention in payments are having to evolve quickly, as new technologies emerge and digitalization of the banking ecosystem continues at pace. I spoke with Giselle Lindley, Principal Financial Crime Consultant at ACI Worldwide and Tim Dalgleish, Head of Threat Analytics, Asia Pacific at BioCatch to understand how financial institutions can use payments intelligence to build trust in this challenging environment.