Skip to content

Why we need penetration testing in a post EMV world

Penetration Testing in a Post EMV World

With around a month until the official date for the infamous liability shift in the US, the official go-live for the EMV standard, or Chip and PIN, it’s looking like we are not entirely prepared.  

According to this recent Banking Exchange survey, a bit over half of the respondents reported that they want to push back the date to give them more time to prepare for the shift. As we are delayed and projects are rushed, some security elements of the project may not be given enough attention, or others are dropped to streamline the project. 

It’s most likely in these places that we start to see some security gaps emerge, and recently, we’ve seen some of them exploited in new ways, specifically in EMV, the trusted technology that should minimize our card fraud problems. So, if EMV is such a great thing for the rest of the world, how are we getting it so wrong that new attacks are still forthcoming, and what do we do about it?

Consider the PenTest, or Penetration test—a security gap-detection method that attempts to “hack” into a given target using the usual techniques employed by the black hats (or nefarious attackers, think of a cartoon villain with a long curly moustache). They use any means at their disposal; social engineering, brute force, malware, phishing, waterhole, you name it, and they’re good at it. 

Pentesters are the security guys who put on the white or, if necessary, the grey-hat… somewhere between the clean-hands good guy and the place where the techniques used are known to be malicious. Pentesters may employ most of these same methods to achieve the same end, but under one’s discreet permission to do so.

Consider the attack used. Someone breaches a merchant’s POS terminal, hoovers the card numbers out and creates counterfeits, typically. EMV can stop this process by injecting itself into the kill-chain early on, and making some data one-time-use only IF all controls are on point. When they are not, if say a verification step on a single data element is not performed (which is performed at a processor), then the whole thing becomes vulnerable to repeated attacks of the same technique over a weekend. Then we have a sizable problem.

Consider the role of the Pentester, to examine the environment, understand some of the weaknesses and then exploit them in the wild. This can be done using the same techniques the fraudsters use, or in a more controlled way, to discover the potential for abuse in the real world. The more realistic the scenario (actually purchasing compromised cards, phishing employees, testing for access gaps that are internet facing) in attempting to identify a path to pseudo-financial gain for the Pentester, the more likely the findings are to be valid.

Now consider performing penetration testing in the real world in our roles as fraud managers. We could request vendors and consultants to design experiments, surf the darkweb (internet underground) for intel on current fraudster methodologies and then prove the gap (under explicit permission from Directors) as exploitable to make the case that we have either a clean bill of health, or that there are indeed gaps that exist that we must cover. 

In some of my discussions with security peers, we’ve identified that this is a real marketplace need and value. However, it is controversial and provocative and may not sit well with many managers…I get that. It’s not for everyone.

Let me be clear, I’ve never put a counterfeit card in front of a point of sale; I’ve never attempted to take over an account, but knowing the steps necessary to do so is what may help design a more valid experiment. I certainly don’t want to condone clandestine work to isolate gaps without explicit permission. And I’m certainly not opening shop next week… but having a third party entity—with the knowledge to execute this testing—may be a shrewd way to ensure that your systems are indeed secure, potentially saving immeasurable losses from occurring. 

So, if the stars aligned and a progressive prospect with the right security culture made the request, I might give it a go. With a white hat on and a nearly trimmed beard.