Yesterday it was reported by The Verge that anonymous hackers have accessed Snapchat's user database and posted 4.6 million user names and phone numbers. In an apparent effort to soften the blow, two digits of the phone numbers were redacted. So we might assume this is a "white hat" exercise, designed to shame Snapchat into improving their security. Indeed, a few days ago Snapchat themselves said they had been warned of vulnerabilities in their APIs that would allow a mass upload of user records.
The response of many has been, well, so what? Some people have casually likened Snapchat's list to a public White Pages; others have played it down as "just email addresses".
Let's look more closely. The leaked list was not in fact public names and phone numbers; it was user names and phone numbers. User names might often be email addresses but these are typically aliases; people frequently choose email addresses that reveal little or nothing of their real world identity. We should assume there is intent in an obscure email address for the individual to remain secret.
Identity theft has become a highly organised criminal enterprise. Crime gangs patiently acquire multiple data sets over many months, sometimes years, gradually piecing together detailed personal profiles. It's been shown time and time again by privacy researchers (perhaps most notably Latanya Sweeney) that re-identification is enabled by linking diverse data sets. And for this purpose, email addresses and phone numbers are superbly valuable indices for correlating an individual's various records. Your email address is common across most of your social media registrations. And your phone number allows your real name and street address to be looked up from reverse White Pages. So the Snapchat breach could be used to join aliases or email addresses to real names and addresses via the phone numbers. For a social engineering attack on a call centre -- or even to open a new bank account -- an identity thief can go an awful long way with real name, street address, email address and phone number.
I was asked in an interview to compare the theft of stolen phone numbers with social security numbers. I surprised the interviewer when I said phone numbers are probably even more valuable to the highly organised ID thief, for they can be used to index names in public directories, and to link different data sets, in ways that SSNs (or credit card numbers for that matter) cannot.
So let us start to treat all personal inormation -- especially when aggregated in bulk -- more seriously! And let's be more cautious in the way we categorise personal or Personally Identifiable Information (PII).
Importantly, most regulatory definitions of PII already embody the proper degree of caution. Look carefully at the US government definition of Personally Identifiable Information:
- information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (underline added).
This means that items of data can constitute PII if other data can be combined to identify the person concerned. That is, the fragments are regarded as PII even if it is the whole that does the identifying.
And remember that the middle I in PII stands for Identifiable, and not, as many people presume, Identifying. To meet the definition of PII, data need not uniquely identify a person, it merely needs to be directly or indirectly identifiable with a person. And this is how it should be when we heed the way information technologies enable identification through linkages.
Almost anywhere else in the world, data stores like Snapchat's would automatically fall under data protection and information privacy laws; regulators would take a close look at whether the company had complied with the OECD Privacy Principles, and whether Snapchat's security measures were fit for purpose given the PII concerned. But in the USA, companies and commentators alike still have trouble working out how serious these breaches are. Each new breach is treated in an ad hoc manner, often with people finessing the difference between credit card numbers -- as in the recent Target breach -- and "mere" email addresses like those in the Snapchat and Epsilon episodes.
Surely the time has come to simply give proper regulatory protection to all PII.
An unhappy holiday for Target customers
A week before Christmas, Target in the US revealed it had suffered a massive payment card data breach, with some 40 million customers affected. Details of the breach are still emerging. No well-informed criticism has yet to emerge of Target's security; instead most observers say that Target has very serious security, and therefore this latest attack must have been very sophisticated, or else an inside job. It appears Target was deemed PCI-DSS compliant -- which only goes to prove yet again the futility of the PCI audit regime for deterring organized criminals.
Security analyst Brian Krebs has already seen evidence of a "fire sale" on carding sites. Cardholder records are worth several dollars each, up to $44 according to Krebs for "fresh" accounts. So the Return on Investment for really big attacks like this one on Target (and before that, on Adobe, Heartland Payments Systems, TJMaxx and Sony) can approach one billion dollars.
We have to face the fact that no amount of conventional IT security can protect a digital asset worth a billion dollars. Conventional security can repel amateur attacks and prevent accidental losses, but security policies, audits and firewalls are not up to the job when a determined thief knows what they're looking for.
It's high time that we rendered payment card data immune to criminal reuse. This is not a difficult technological problem; it's been solved before in Card Present transactions around the world, and with a little will power, the payments industry could do it again for Internet payments, nullifying the black market in stolen card data.
A history of strong standardisation
The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the planet. This seamless interoperability is created by the universal Four Party settlement model, and a long-standing plastic card standard that works the same with ATMs and merchant terminals absolutely everywhere.
So with this determination to facilitate trustworthy and supremely convenient spending in worldwide, it's astonishing that the industry is still yet to standardise Internet payments! We have for the most part settled on the EMV chip card standard for in-store transactions, but online we use a wide range of confusing, piecemeal and largely ineffective security measures. As a result, Card Not Present (CNP) fraud has boomed. I argue that all card payments -- offline and online -- should be properly secured using standardised hardware. In particular, CNP transactions should either use the very same EMV chip and cryptography as do Card Present payments, or it should exploit the capability of mobile handsets and especially Secure Elements.
CNP Fraud trends
The Australian Payments Clearing Association (APCA) releases twice-yearly card fraud statistics, broken down by fraud type: skimming & carding, Card Not Present, stolen cards and so on. Lockstep Consulting monitors the APCA releases and compiles a longitudinal series. The latest Australian card fraud figures are shown below.
APCA like other regulators tend to varnish the rise in CNP fraud, saying it's smaller than the overall rise in e-commerce. There are several ways to interpret this contextualization. The population-wide systemic advantages of e-commerce can indeed be said to outweigh the fraud costs, yet this leaves the underlying vulnerability to payments fraud unaddressed, and ignores the qualitative problems suffered by the individual victims of fraud (as they say, history is written by the winners). It's pretty complacent to play down fraud as being small compared with the systemic benefit of shopping online; it would be like meekly attributing a high road toll to the popularity of motor cars. At some point, we have to do something about safety![And note very carefully that online fraud and online shopping are not in fact two sides of the same coin. Criminals obtain most of their stolen card data from offline retail and processing environments. It's a bit rude to argue CNP fraud is small as a proportion of e-commerce when some people who suffer from stolen card data might have never shopped online in their lives!]
Frankly it's a mystery why the payments industry seems so bamboozled by CNP fraud, because technically it's a very simple problem. And it's one we've already solved elsewhere. For Card Not Present fraud is simply online carding.
Skimming and Carding
In carding, criminals replicate stolen customer data on blank cards; with CNP fraud they replay stolen data on merchant servers.
A magstripe card stores the customer's details as a string of ones and zeroes, and presents them to a POS terminal or ATM in the clear. It's child's play for criminals to scan the bits and copy them to a blank card.
The payments industry responded to skimming and carding with EMV (aka Chip-and-PIN). EMV replaces the magnetic storage with an integrated circuit, but more importantly, it secures the data transmitted from card to terminal. EMV works by first digitally signing those ones and zeros in the chip, and then verifying the signature at the terminal. The signing uses a Private Key unique to the cardholder and held safely inside the chip where it cannot be tampered with by fraudsters. It is not feasible to replicate the digital signature without having access to the inner workings of the chip, and thus EMV cards resist carding.
Online card fraud
Conventional Card Not Present (CNP) transactions are vulnerable because, like the old magstripe cards themselves, they rest on cleartext cardholder data. On its own, a merchant server cannot tell the difference between the original card data and a copy, just as a terminal cannot tell an original magstripe card from a criminal's copy.
Despite the simplicity of the root problem, the past decade has seen a bewildering patchwork of flimsy and expensive online payments fixes. Various One Time Passwords have come and gone, from scratchy cards to electronic key fobs. Temporary SMS codes have been popular for two-step verification of transactions but were recently declared unfit for purpose by the Communications Alliance in Australia, a policy body representing the major mobile carriers.
Meanwhile, extraordinary resources have been squandered on the novel "3D Secure" scheme (MasterCard SecureCode and Verified by Visa). 3D Secure take-up is piecemeal; it's widely derided by merchants and customers alike. It upsets the underlying Four Party settlements architecture, slowing transactions to a crawl and introducing untold legal complexities.
A solution is at hand -- we've done it before
Why doesn't the card payments industry go back to its roots, preserve its global architecture and standards, and tackle the real issue? We could stop most online fraud by using the same chip technologies we deployed to kill off skimming.
It is technically simple to reproduce the familiar card-present user experience in a standard computer or in digital form on a smart phone. It would just take the will of the financial services industry to standardise digital signatures on payment messages sent from a card holder's device or browser to a merchant server.
And there is ample room for innovative payments modalities in online and mobile commerce settings:
All serious payments systems use hardware security. The classic examples include SIM cards, EMV, the Hardware Security Modules mandated by regulators in all ATMs, and the Secure Elements of NFC mobile devices. With well-designed hardware security, we gain a lasting upper hand in the cybercrime arms race.
The Internet and mobile channels will one day overtake the traditional physical payments medium. Indeed, commentators already like to say that the "digital economy" is simply the economy. Therefore, let us stop struggling with stopgap Internet security measures, and let us stop pretending that PCI-DSS audits will stop organised crime stealing card numbers by the million. Instead, we should kill two birds with one stone, and use chip technology to secure both Card Present and CNP transactions, to deliver the same high standards of usability and security in all channels.
Until we render stolen card data useless to criminals, the Return on Investment will remain high for even very sophisticated attacks (or simply bribing insiders), and spectacular data breaches like Target's will continue.
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures and plots the trend data. The latest stats were released this week, for FY 2012.
Here's the latest picture of Australian payment card fraud growth over the past seven financial years FY2006-12.
Compared with FY2011:
- Total card fraud is up 25%
- CNP fraud is up 27%
- CNP fraud represents three quarters (72%) of all card fraud.
- Card Not Present fraud as a proportion of all fraud remains at just under three quarters (72%).
As with the CY2011 stats we discussed last July, card fraud has again grown in all categories at once, not just Card Not Present, and this is unusual. The explanation may be a burst of skimming and counterfeiting in late 2011 which would be reflected in both the FY2012 and CY2011 numbers.
APCA's press release this week notes that card fraud has dropped in the past six months, contrasting financial 2012 ($189M) with calendar 2011 ($198M). This may not be a statistically valid comparison. We should expect seasonal buying habits will cause asymmetries within 12 months, making FY against CY a case of apples and oranges. Indeed, this looks like the first time APCA themselves have plotted CY and FY stats together. It certainly makes the latest figures look better.
Time will tell whether the trend is changing. The long term trend is that CNP fraud has grown at 38% p.a. on average, from $27M in FY2006 to $189M in FY2012. A 5% drop in the past six months may not mean much. The $189M loss most recently reported is probably close to the true trend.
APCA says "Broadly, the value of CNP fraud reflects growing retail activity in the online space, with many more businesses ... moving online". That's true but the question is: What will we do about it? Bank robbers rob banks because that's where the money is. Think about high road tolls: they reflect the popularity of driving, but we don't put up with them!
In any case, a cardholder's exposure to CNP fraud has nothing to do with whether they themselves shop online! Stolen card data are replayed online by criminals because they can. The online boom provides more places to use stolen cards but it's not where the criminals get most of their cards. Instead, it appears that account numbers are mostly obtained from massive database breaches at processors and large bricks-and-mortar retailers, like Heartland Payments, Global Payments, and Hannaford. So it's not fair to play down CNP fraud as relating to the cost of going digital, because it hurts people who haven't gone digital.
I'm afraid payments regulators seem light on ideas for actually rectifying CNP fraud.
Until recently, APCA actively promoted 3D Secure (Verified by Visa or Mastercard SecureCode) as a response to CNP fraud. In June 2011, APCA went so far as to say "retailers should be looking at a 3D Secure solution for their online checkout". But their most recent press release makes no mention of 3D Secure at all.
It looks to me that 3D Secure, after many years of disappointing performance and terrible take-up, is now too contentious to rate a mention from Australia’s regulators.
In my view, the industry needs to treat CNP fraud as seriously as it did skimming and carding. The industry should not resign itself to increasing rates of fraud just because online shopping is on the rise.
CNP fraud is not a technologically tough problem. It's just the digital equivalent of analogue skimming and carding, and it could be stopped just as effectively by using chips to protect cardholder data online.
Seasoned security analysts know the card fraud trends, but the latest stats in Australia are surprisingly bad.
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, crunches them and plots the trend data.
Here's the latest picture of Australian payment card fraud growth over the past six calendar years CY2006-11.
For the first time in many years, card fraud has grown in all categories at once. The ratio of Card Not Present fraud to all fraud remained steady at just under three quarters. Any up-turn in skimming and counterfeiting is surprising given the strong penetration of chip-and-PIN cards in Australia, although most ATMs here still use the stripe and remain vulnerable to carding. Still, CNP fraud remains the preferred MO of organised crime, and its cost grew by 61% from 2010 to 2011.
"Innovation" is a topical notion in Australian payments systems circles, but for the most part innovation is confined to back end systemic improvements to interbank settlements. Regulators take a light touch on the user side. The market is fostering innovative payments applications in mobile devices, but so far, security still proves to be too hard. APCA's only position on security is to wait and see what happens when 3D Secure comes to Australia. Given that nothing has stood in its way, and CNP fraud is doubling every two years, the very absence of 3D Secure here should be worrying to the regulators.
Last week saw the biggest credit card data breach for a while, with around 1.5 million card numbers being stolen by organised crime from processor Global Payments [updated figures per Global Payments investor conference call, Apr 2nd].
So now there will be another few rounds of debate about how to harden these cardholder databases against criminal infiltration, and whether or not the processor was PCI-DSS compliant. Meanwhile, stolen card numbers can be replayed with impugnity and all the hapless customers can do is monitor their accounts for suspicious activity -- which can occur years later.
These days, the main use for stolen payment card data is Card Not Present (CNP) fraud. Traditional "carding" -- where data stolen by skimming is duplicated onto blank mag stripe cards to fool POS terminals or ATMs -- has been throttled in most places by Chip-and-PIN, leaving CNP as organised crime's preferred modus operandi. CNP fraud now makes up three quarters of all card fraud in markets like Australia, and is growing at 40-50% p.a.
All card fraud exploits a specific weakness in the Four Party card settlement system shown below. The model is decades old, and remains the foundation of internationally interoperable cards. In a triumph of technology neutrality, the four party arrangement was unchanged by the advent of e-commerce. The one problem with the system is that merchants accepting card numbers may be vulnerable to stolen numbers. Magnetic stripe terminals and Internet servers are unable to tell original cardholder data from copies replayed by fraudsters.
The most important improvment to the payments system was and still is to make card numbers non-replayable. Chip-and-PIN stops carding thanks to cryptographic processes implemented in hardware (the chip) where they cannot be tampered with, and where the secret keys that criminals would need are inaccessible. In essence, a Chip-and-PIN card encrypts customer data within the secure chip (actually, digitally signs it) using keys that never leave the confines of the integrated circuit. Even if a criminal obtains the card holder data, they are unable to apply the additional cryptographic transformations to create legible EMV card-present transactions. This is how Chip-and-PIN stemmed skimming and carding.
CNP fraud is just online carding, fuelled by industrial scale theft of customer records by organised crime, like the recent Global Payments episode. While the PCI-DSS regime reduces accidental losses and amateur attacks, it remains powerless to stop determined criminals, let alone corrupt insiders. When card numbers are available by the tens of millions, and worth several dollars each ($25 or more for platinum cards) truly nothing can stop them from being purloined.
The best way to tackle CNP fraud is to leverage the same hardware based cryptography that prevents skimming and carding.
Lockstep Technologies has developed and proven such a solution. Our award winning Stepwise digitally signs CNP transactions within an EMV chip, rendering card details sent to the merchant non-replayable. The merchant server checks a Stepwise CNP transaction using standard public key libraries; a valid Stepwise transaction can only have come from a genuine Chip-and-PIN card under the control of its holder.
All serious transaction and payments systems use hardware cryptography. The classic examples include mobile telephones' SIM cards, EMV chips, the Hardware Security Modules mandated by financial regulators in all ATMs, and the "secure elements" of NFC devices. With well designed hardware security, we gain a robust upper hand in the cybercrime arms race. So let's stop struggling with flabby distracting systems like 3D Secure, and let's stop pretending that PCI-DSS audits will stop organised crime getting hold of card numbers by the million. Instead, let's kill two birds with one stone and use chips to secure both card present and CNP transactions.
Stepwise creates uniquely secure, fast and easy-to-use CNP payments. It has zero impact on the security certifications of digital signature capable EMV chips, and zero impact on existing four party card processing arrangements.
For more details, please see http://lockstep.com.au/technologies/stepwise.
I recently posted the latest Card Not Present fraud figures for Australia. Technologically, CNP fraud is not a novel problem. We already have the tools and the cardholder habits to solve the CNP problem. We should look at the experience of skimming and carding, which was another tech problem that demanded a smart tech solution.
Card Not Present fraud is simply online carding.
A magnetic stripe card keeps the cardholder's details as a string of ones and zeroes, stored in the clear, and presents that string to a POS terminal or ATM. It's easy for a criminal to scan the ones and zeroes and copy them to a blank card.
In general terms, EMV or Chip-and-PIN cards work by encrypting those ones and zeros in the chip so they can only be correctly decoded by the terminal equipment. In reality the explanation is somewhat more complex, involving asymmetric cryptography, but for the purposes of explaining the parallel between skimming/carding and CNP fraud, we can skip the details. The salient point is that EMV cards prevent carding by using encryption inside the secure chip using keys that cannot be tampered with or substituted by an attacker.
As with mag stripe cards, conventional Card Not Present transactions transmit cleartext cardholder data, this time to a merchant server. On its own, a server cannot tell the difference between the original data and a copy, just as a POS terminal cannot tell an original bank issued cards from a criminal's copy.
Lockstep Technologies was first to see the parallel between skimming/carding and CNP fraud. Our solution "Stepwise" uses the same cryptographic technology in chip cards that prevents carding to digitally sign transactions created at a browser or mobile device. Stepwise signatures can be verified at any merchant server, using standard built-in software libraries and a widely distributed "master key".
I presented the Stepwise solution to the Payments Innovation stream at Cards & Payments Australia 2012 last week. The presentation is available here.
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of Australian payment card fraud in three major categories over the past six financial years.
Card fraud by skimming and counterfeiting is holding steady, thanks to the security of EMV chip-and-PIN cards. Card Not Present (CNP) fraud is the preferred modus operandum of organised crime, and continues to grow unabated. The increase in CNP fraid from last financial year was 46%; CNP now represents 71% -- or nearly three quarters -- of total annual card fraud.
What's to be done about this never ending problem?
- The credit card associations' flagship online payment protocol "3D Secure", rolled out selectively and tentatively overseas, is loathed by customers and merchants alike. 3D Secure is virtually unknown in Australia.
- There have been various attempts to stem the tide of stolen cardholder details that fuels CNP fraud. Examples include 'big iron' software changes like "Tokenization" and the PCI-DSS security audit regime, which has proven expensive and largely futile. Arguments raged over whether Heartland Payments Systems (which suffered the world's biggest card data theft in 2009) was "really" PCI-DSS compliant. It's become so arbitrary that by the time the Sony PSN was breached last year with the loss of up to 70 million credit cards (nobody really knows how many) the question of whether Sony was PCI compliant never even came up.
- Or we could get smart and exploit the same cryptographic security that allows chip cards to stop skimming, to protect cardholder details between the user's device and the merchant server. See Lockstep Technologies' award winning Stepwise CNP security solution.
No before time, merchants are pushing back on the PCI-DSS regime, with a new law suit brought by a restaurant against the card companies. Infosec commentators like Ben Wright ask why all the onus should be on merchants when the payments industry could invest in better security technology?
Credit card numbers are a bit like nitroglycerine: handle them with great care or they'll blow up. The slightest slip-up, the smallest weakness in database security in the face of sophisticated Advanced Persistent Threats, and tens of millions of card numbers are lost to criminals. PCI-DSS compliance is fiercely expensive, but all it does is protect against accidents; it is powerless to stop determined attackers or corrupt insiders.
Is it fair to hold merchants responsible for the highly technical handling procedures of the PCI-DSS regime, when instead the card companies could stabilise their highly volatile card data?
The fundamental problem with payment card safety (as is the case with most digital identity security) is that numbers are replayable. It's child's play to take account data and replay it against unsuspecting merchants, either via cloned mag stripe cards or even easier, in online Card Not Present fraud.[See also updated CNP fraud trends for FY2011.]
Yet with chip technologies now widespread, and digital signature primitives ubiquitous in computing and Internet platforms, it's nearly trivial to eliminate replay attacks. Not only could we dramatically reduce the cost of stolen card details, we'd pull the rug out from under organised crime, and we'd boost privacy by cutting the vicious cycle of gathering more and more ancillary personal data for proving customer identity.
Lockstep's R&D has proven a solution for this problem. Fast, easy-to-use, private, secure, low cost, mature, and feasible.
It is no exaggeration to characterise the theft of personal information as an epidemic. Personal information in digital form is the lifeblood of banking and payments, government services, healthcare, a great deal of retail commerce, and entertainment. But personal records―especially digital identities―are stolen in the millions by organised criminals, to appropriate not just money but also the broader and fast growing intangible assets of “digital natives”. The Internet has given criminals x-ray vision into peoples’ details, and perfect digital disguises with which to defraud business and governments.
Credit card fraud over the Internet is the model cyber crime. Childs play to perpetrate, and fuelled by a thriving black market in stolen personal data, online card fraud represents 70% of all card fraud in Australia, continues to grow at 30-50% p.a., and here cost over A$120 million in 2010 (see http://lockstep.com.au/blog/2011/09/27/au-cnp-fraud-cy2010). The importance of this crime goes beyond the gross losses, for some of the proceeds are going to fund terrorism, as acknowledged by the US Homeland Security Committee.
Yet there is a deeper lesson in online card fraud: it needs to be seen as a special case of digital identity theft. ID theft is perpetrated by sophisticated organised crime gangs, behind the backs of the best trained and best behaved users, aided and abetted by insiders corrupted by enormous rewards. No amount of well meaning security policy or user awareness can defeat the profit motives of today’s online fraudsters.
As the digital economy is to the wider economy, so cyber crime is to crime at large. And yet the e-business environment remains stuck in a Wild West stage of development: it’s everyone for themselves! There is no consistency in the gadgets foisted upon consumers to access online businesses and services; worse, most are flawed and readily subverted by hackers. We could build security deep into our transaction platforms to prevent identity theft, phishing, web site spoofing and spam―the requisite building blocks like digital signature toolkits and personal smart devices are now ubiquitous―but instead, almost all attention turns to user awareness. Yet education has reached its use-by date, rendered utterly obsolete by the industrialisation of cybercrime (see also http://lockstep.com.au/library/online_banking_review/obr-lockstep-200810-many-hand.pdf). Most everyone now knows they need a firewall and anti-virus software but they're misguided measures when most identities are stolen in other channels utterly beyond the users' control. The predominant technology neutral policy position of government and the banking industry has not fostered market driven innovation as hoped but instead has created a leadership vacuum, leaving consumers to fend for themselves.
To really curtail cyber crime we need the sort of concerted and balanced effort that typifies security in all other walks of life, like transportation, energy and finance. Car owners don't fit their own seat belts and airbags as after-market nice-to-haves; bank customers don’t need to install their own security screens; bank robbers are not kept at bay by security audits alone. The time has come, now that we’re constructing the digital economy, to embrace intelligent security technologies that can actually prevent identity theft and cyber crime.
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of card fraud in three major categories over the past five calendar years.
It appears that EMV chip cards continue to stifle skimming and counterfeiting, but Card Not Present (CNP) fraud is left as the preferred MO of organised crime, and continues to grow unabated.
It's high time that banks and online merchants took definitive steps to prevent the replay of stolen card numbers. See Lockstep Technologies' Stepwise.