For all the talk of ecosystems ...
Yet another breathless report crossed my desk via Twitter this morning where the rise of mobile payments is predicted to lead to cards and cash "disappearing", in this case by 2020. Notably, this hyperventilation comes not from a tech vendor but instead from a "research" company.
So I started to wonder why the success of mobile payments (or any other disruptive technology) is so often framed in terms of winner-take-all. Surely we can imagine new payments modalities being super successful without having to see plastic cards and cash disappear? It might just be that press releases and Twitter tend towards polar language. More likely, and not unrelatedly, it's because a lot of people really think this way.
It's especially ironic given how the term "ecosystem" tops most Buzzword Bingo cards these days. If commentators were to actually think ecologically for a minute they'd realise that the extinction of a Family or Order at the hands of another is very rare indeed.
Killing two birds with one chip
Last week saw the biggest credit card data breach for a while, with around 1.5 million card numbers being stolen by organised crime from processor Global Payments [updated figures per Global Payments investor conference call, Apr 2nd].
So now there will be another few rounds of debate about how to harden these cardholder databases against criminal infiltration, and whether or not the processor was PCI-DSS compliant. Meanwhile, stolen card numbers can be replayed with impugnity and all the hapless customers can do is monitor their accounts for suspicious activity -- which can occur years later.
These days, the main use for stolen payment card data is Card Not Present (CNP) fraud. Traditional "carding" -- where data stolen by skimming is duplicated onto blank mag stripe cards to fool POS terminals or ATMs -- has been throttled in most places by Chip-and-PIN, leaving CNP as organised crime's preferred modus operandi. CNP fraud now makes up three quarters of all card fraud in markets like Australia, and is growing at 40-50% p.a.
All card fraud exploits a specific weakness in the "Four Party" card settlement system shown below. The model is decades old, and remains the foundation of internationally interoperable cards. In a triumph of technology neutrality, the four party arrangement was unchanged by the advent of e-commerce. The one problem with the system is that merchants accepting card numbers may be vulnerable to stolen numbers. Magnetic stripe terminals and Internet servers are unable to tell original cardholder data from copies replayed by fraudsters.
The most important improvment to the payments system was and still is to make card numbers non-replayable. Chip-and-PIN stops carding thanks to cryptographic processes implemented in hardware (the chip) where they cannot be tampered with, and where the secret keys that criminals would need are inaccessible. In essence, a Chip-and-PIN card encrypts customer data within the secure chip (actually, digitally signs it) using keys that never leave the confines of the integrated circuit. Even if a criminal obtains the card holder data, they are unable to apply the additional cryptographic transformations to create legible EMV card-present transactions. This is how Chip-and-PIN stemmed skimming and carding.
CNP fraud is just online carding, fuelled by industrial scale theft of customer records by organised crime, like the recent Global Payments episode. While the PCI-DSS regime reduces accidental losses and amateur attacks, it remains powerless to stop determined criminals, let alone corrupt insiders. When card numbers are available by the tens of millions, and worth several dollars each ($25 or more for platinum cards) truly nothing can stop them from being purloined.
The best way to tackle CNP fraud is to leverage the same hardware based cryptography that prevents skimming and carding.
Lockstep Technologies has developed and proven such a solution. Our award winning Stepwise digitally signs CNP transactions within an EMV chip, rendering card details sent to the merchant non-replayable. The merchant server checks a Stepwise CNP transaction using standard public key libraries; a valid Stepwise transaction can only have come from a genuine Chip-and-PIN card under the control of its holder.
All serious transaction and payments systems use hardware cryptography. The classic examples include mobile telephones' SIM cards, EMV chips, the Hardware Security Modules mandated by financial regulators in all ATMs, and the "secure elements" of NFC devices. With well designed hardware security, we gain a robust upper hand in the cybercrime arms race. So let's stop struggling with flabby distracting systems like 3D Secure, and let's stop pretending that PCI-DSS audits will stop organised crime getting hold of card numbers by the million. Instead, let's kill two birds with one stone and use chips to secure both card present and CNP transactions.
Stepwise creates uniquely secure, fast and easy-to-use CNP payments. It has zero impact on the security certifications of digital signature capable EMV chips, and zero impact on existing four party card processing arrangements.
For more details, please see http://lockstep.com.au/technologies/stepwise.
Posted in Smartcards, Payments, Fraud
CNP fraud is just online carding
I recently posted the latest Card Not Present fraud figures for Australia. Technologically, CNP fraud is not a novel problem. We already have the tools and the cardholder habits to solve the CNP problem. We should look at the experience of skimming and carding, which was another tech problem that demanded a smart tech solution.
Card Not Present fraud is simply online carding.
A magnetic stripe card keeps the cardholder's details as a string of ones and zeroes, stored in the clear, and presents that string to a POS terminal or ATM. It's easy for a criminal to scan the ones and zeroes and copy them to a blank card.
In general terms, EMV or Chip-and-PIN cards work by encrypting those ones and zeros in the chip so they can only be correctly decoded by the terminal equipment. In reality the explanation is somewhat more complex, involving asymmetric cryptography, but for the purposes of explaining the parallel between skimming/carding and CNP fraud, we can skip the details. The salient point is that EMV cards prevent carding by using encryption inside the secure chip using keys that cannot be tampered with or substituted by an attacker.
As with mag stripe cards, conventional Card Not Present transactions transmit cleartext cardholder data, this time to a merchant server. On its own, a server cannot tell the difference between the original data and a copy, just as a POS terminal cannot tell an original bank issued cards from a criminal's copy.
Lockstep Technologies was first to see the parallel between skimming/carding and CNP fraud. Our solution "Stepwise" uses the same cryptographic technology in chip cards that prevents carding to digitally sign transactions created at a browser or mobile device. Stepwise signatures can be verified at any merchant server, using standard built-in software libraries and a widely distributed "master key".
I presented the Stepwise solution to the Payments Innovation stream at Cards & Payments Australia 2012 last week. The presentation is available here.
See also technical details here and a live demo on the ABC TV "New Inventors" program.
Posted in Smartcards, Payments, Fraud
Card Not Present now three quarters of all fraud
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of Australian payment card fraud in three major categories over the past six financial years.
Card fraud by skimming and counterfeiting is holding steady, thanks to the security of EMV chip-and-PIN cards. Card Not Present (CNP) fraud is the preferred modus operandum of organised crime, and continues to grow unabated. The increase in CNP fraid from last financial year was 46%; CNP now represents 71% -- or nearly three quarters -- of total annual card fraud.
What's to be done about this never ending problem?
- The credit card associations' flagship online payment protocol "3D Secure", rolled out selectively and tentatively overseas, is loathed by customers and merchants alike. 3D Secure is virtually unknown in Australia.
- There have been various attempts to stem the tide of stolen cardholder details that fuels CNP fraud. Examples include 'big iron' software changes like "Tokenization" and the PCI-DSS security audit regime, which has proven expensive and largely futile. Arguments raged over whether Heartland Payments Systems (which suffered the world's biggest card data theft in 2009) was "really" PCI-DSS compliant. It's become so arbitrary that by the time the Sony PSN was breached last year with the loss of up to 70 million credit cards (nobody really knows how many) the question of whether Sony was PCI compliant never even came up.
- Or we could get smart and exploit the same cryptographic security that allows chip cards to stop skimming, to protect cardholder details between the user's device and the merchant server. See Lockstep Technologies' award winning Stepwise CNP security solution.
Card numbers are like nitroglycerine
No before time, merchants are pushing back on the PCI-DSS regime, with a new law suit brought by a restaurant against the card companies. Infosec commentators like Ben Wright ask why all the onus should be on merchants when the payments industry could invest in better security technology?
Credit card numbers are a bit like nitroglycerine: handle them with great care or they'll blow up. The slightest slip-up, the smallest weakness in database security in the face of sophisticated Advanced Persistent Threats, and tens of millions of card numbers are lost to criminals. PCI-DSS compliance is fiercely expensive, but all it does is protect against accidents; it is powerless to stop determined attackers or corrupt insiders.
Is it fair to hold merchants responsible for the highly technical handling procedures of the PCI-DSS regime, when instead the card companies could stabilise their highly volatile card data?
The fundamental problem with payment card safety (as is the case with most digital identity security) is that numbers are replayable. It's child's play to take account data and replay it against unsuspecting merchants, either via cloned mag stripe cards or even easier, in online Card Not Present fraud.
[See also updated CNP fraud trends for FY2011.]Yet with chip technologies now widespread, and digital signature primitives ubiquitous in computing and Internet platforms, it's nearly trivial to eliminate replay attacks. Not only could we dramatically reduce the cost of stolen card details, we'd pull the rug out from under organised crime, and we'd boost privacy by cutting the vicious cycle of gathering more and more ancillary personal data for proving customer identity.
Lockstep's R&D has proven a solution for this problem. Fast, easy-to-use, private, secure, low cost, mature, and feasible.
CNP fraud keeps growing without limit
The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures, condenses them and plots the trend data.
Here's the latest picture of card fraud in three major categories over the past five calendar years.
It appears that EMV chip cards continue to stifle skimming and counterfeiting, but Card Not Present (CNP) fraud is left as the preferred MO of organised crime, and continues to grow unabated.
It's high time that banks and online merchants took definitive steps to prevent the replay of stolen card numbers. See Lockstep Technologies' Stepwise.