3
BUYER BEWARE Computer Fraud & Security March 2010 10 decide that crawling was just so much more sensible. And this tolerance needs to be accepted within the reporting. Devolved management Good management involves devolving responsibility and authority to others, for them to motivate and manage their staff in a way that fits best with their approach and the culture of the team. However, I often find that a culture of information security is still often centrally implemented, which can be less effective. For example a market- ing team is likely to be made of different people with different hobbies and attitudes than someone in incident management or research and development, and yet in many situations the motivation is taken to be uniform across all specialists. “Good management involves devolving responsibility and authority to others, for them to motivate and manage their staff in a way that fits best with their approach and the culture of the team” The important issue for middle man- agement is how to demonstrate their achievements. While monitoring laptop loss might be effective in a team where mobile working is more common, it is unhelpful where the norm is for staff to work on desktop machines. Measuring the difference. I have just returned from presenting at the 3rd Athens International Forum on Security, and one of the issues that was entertain- ingly expounded upon by Dr. Derek Oliver was the issue of security metrics. He made the point that metrics are the language of senior management. This category of professional likes results that can be seen on charts and mapped over time and across the organisation to evaluate their effectiveness. Measure to improve Oliver’s key point was that if you can’t measure, you can’t improve. So, what shall we measure? We can answer that by answering another question: what is the reason for focusing on the information security or security awareness initiative? It may be compliance requirements, or a recent incident, either within the busi- ness or a comparable business. It may be a concern that the current level of oper- ational security places the organisation in too much danger. Understand the risk, and the operations that need to change, and you can set a baseline and then refer back to that for comparison. One organisation I heard about recently had a concerted campaign one Christmas to ask staff to be cautious about opening electronic cards, because of the risks they might carry. At the beginning of January not only were they able to confirm that many more cards were deleted unopened, but the security monitoring was able to show that there was a reduction of 70% on the infection rate on machines compared to the same time the previous year. In this case, a little bit of discussion between the security awareness program designer and the network security people meant that data could be captured that not only justified the e-card campaign, but demonstrated the possible effective- ness of an awareness campaign. So, remember to identify the risks, and the operations relating to those risks, when trying to measure the progress that staff have made in tightening up your organisa- tion’s security practices. And don’t forget the catalysing effect of motivation. A little bonus to reward increased security aware- ness can boost morale. Any situation where achieving the goal means that staff feel good about it means that next time you have a message to get across it is that little bit easier. And that is always a bonus. Buyer beware? Likewise, it is also clear that chip and PIN has not solved the problem of pay- ment fraud either. So far, the strangest chip and PIN security story is the one about the POS terminals in British supermarkets that supposedly had “extra components” added at the factory in China, and are now sending card details to Pakistan via mysterious wireless technology. Tampering with POS terminals All I can say is: fear not. The tampering of POS devices does not take place in the factories, and it is neither perfect nor undetectable. What is actually happen- ing is that fraudsters, often from Eastern Europe, are buying or stealing used POS terminals and adding card data loggers and memory. The POS terminals are often sourced in pairs, so that a complete bogus ter- minal can be made from the remnants David Birch, managing cirector, Consult Hyperion Whether it’s conducted electronically, through the post, or in person, fraud is nothing new. So let’s make that our starting point. Of course, at some stage, fraud will get so bad that the banks will start to worry about it in earnest. At the moment, it looks like that’s some way away, since – in the US, at least – fraud makes up less than 1% in card portfolios that have bad debt well in excess of 6%. It is pretty clear which area will be attracting the most management attention for the foreseeable future.

Buyer beware?

Embed Size (px)

Citation preview

Page 1: Buyer beware?

BUYER BEWARE

Computer Fraud & Security March 201010

decide that crawling was just so much more sensible. And this tolerance needs to be accepted within the reporting.

Devolved management

Good management involves devolving responsibility and authority to others, for them to motivate and manage their staff in a way that fits best with their approach and the culture of the team. However, I often find that a culture of information security is still often centrally implemented, which can be less effective. For example a market-ing team is likely to be made of different people with different hobbies and attitudes than someone in incident management or research and development, and yet in many situations the motivation is taken to be uniform across all specialists.

“Good management involves devolving responsibility and authority to others, for them to motivate and manage their staff in a way that fits best with their approach and the culture of the team”

The important issue for middle man-agement is how to demonstrate their achievements. While monitoring laptop

loss might be effective in a team where mobile working is more common, it is unhelpful where the norm is for staff to work on desktop machines.

Measuring the difference. I have just returned from presenting at the 3rd Athens International Forum on Security, and one of the issues that was entertain-ingly expounded upon by Dr. Derek Oliver was the issue of security metrics. He made the point that metrics are the language of senior management. This category of professional likes results that can be seen on charts and mapped over time and across the organisation to evaluate their effectiveness.

Measure to improve

Oliver’s key point was that if you can’t measure, you can’t improve. So, what shall we measure? We can answer that by answering another question: what is the reason for focusing on the information security or security awareness initiative? It may be compliance requirements, or a recent incident, either within the busi-ness or a comparable business. It may be a concern that the current level of oper-ational security places the organisation in too much danger. Understand the risk, and the operations that need to change,

and you can set a baseline and then refer back to that for comparison.

One organisation I heard about recently had a concerted campaign one Christmas to ask staff to be cautious about opening electronic cards, because of the risks they might carry. At the beginning of January not only were they able to confirm that many more cards were deleted unopened, but the security monitoring was able to show that there was a reduction of 70% on the infection rate on machines compared to the same time the previous year. In this case, a little bit of discussion between the security awareness program designer and the network security people meant that data could be captured that not only justified the e-card campaign, but demonstrated the possible effective-ness of an awareness campaign.

So, remember to identify the risks, and the operations relating to those risks, when trying to measure the progress that staff have made in tightening up your organisa-tion’s security practices. And don’t forget the catalysing effect of motivation. A little bonus to reward increased security aware-ness can boost morale. Any situation where achieving the goal means that staff feel good about it means that next time you have a message to get across it is that little bit easier. And that is always a bonus.

Buyer beware?

Likewise, it is also clear that chip and PIN has not solved the problem of pay-ment fraud either. So far, the strangest chip and PIN security story is the one about the POS terminals in British

supermarkets that supposedly had “extra components” added at the factory in China, and are now sending card details to Pakistan via mysterious wireless technology.

Tampering with POS terminals All I can say is: fear not. The tampering of POS devices does not take place in the factories, and it is neither perfect nor undetectable. What is actually happen-ing is that fraudsters, often from Eastern Europe, are buying or stealing used POS terminals and adding card data loggers and memory.

The POS terminals are often sourced in pairs, so that a complete bogus ter-minal can be made from the remnants

David Birch, managing cirector, Consult Hyperion

Whether it’s conducted electronically, through the post, or in person, fraud is nothing new. So let’s make that our starting point. Of course, at some stage, fraud will get so bad that the banks will start to worry about it in earnest. At the moment, it looks like that’s some way away, since – in the US, at least – fraud makes up less than 1% in card portfolios that have bad debt well in excess of 6%. It is pretty clear which area will be attracting the most management attention for the foreseeable future.

Page 2: Buyer beware?

BUYER BEWARE

March 2010 Computer Fraud & Security11

of two non-bogus terminals (some of the parts are destroyed by tampering). The fraudsters collude with mainly Sri Lankan criminals to get the bogus terminals placed, generally at petrol sta-tions and other high-traffic locations, and often in collusion with low-paid retail staff.

“The tampering of POS devices does not take place in the factories, and it is neither perfect nor undetectable”

After a couple of weeks, the bogus terminal is removed and replaced with the real terminal, and the fraudsters get thousands of card details and PINs from the memory. These details are then used to manufacture counterfeit magnetic stripe cards for use in foreign ATMs (in, for example, Bulgaria) and non-chip merchants (in, for example, the USA).

So, this scare-story has little to do with Sainsbury’s or Asda, despite recent stories that magnetic stripe counterfeit-ers were going to target UK supermar-kets, although goodness knows why, since most of them go online for stripe transactions. Not only that, but seeing as the integrated POS terminals used in Sainsbury’s and Asda connect only to the Sainsbury’s and Asda systems (and not to the internet), they wouldn’t be able to send fraudulent data back that way anyway.

If criminals are using stolen card data to make customer not present (CNP) transactions, and merchants are accept-ing the card details without a customer verification value (CVV), then British shoppers aren’t losing a penny; the merchants are. Also, to the best of my knowledge, the data from compromised terminals (which is being collected by the loggers) is typically used to make cards for use in foreign ATMs and ter-minals, not to make purchases on the internet, and especially not for items that require a delivery address.

The problem with chip and PINOn a similar subject, I also had a few calls about the chip and & PIN “Tetris stunt”. Basically, some guys at Cambridge took the innards out of a chip & PIN termi-nal and replaced them with something else. First of all, there is nothing in EMV (the current standard for the interopera-tion of chip cards, POS terminals and cash machines for authenticating credit and debit cards) that requires terminals to be tamper-proof. Yes, they have to be tamper-evident, but that is entirely dif-ferent – and to the best of my knowledge none of the manufacturers have actually claimed them to be tamper-proof.

Since criminals have already demon-strated this kind of attack in the field (most famously in the Shell case), these researchers from Cambridge seem a little behind the curve. As I see it, this story has nothing to do with chip & PIN. As threats go, this is no different than putting an “out of order” sign on the bank nightsafe and pretending to be a security guard. If you can persuade con-sumers to put their card and PIN into a box under your control, then you can skim the details – but that is not a failing of the technology behind chip & PIN.

Does any of this matter? Probably not nearly as much as people think. Attacks like these are only a threat in that card details and PINs can be used to manufac-ture counterfeit magnetic stripe cards (the security of the chip isn’t actually compro-mised), which means that these cards can be used in foreign ATMs to withdraw money because fallback is allowed: that is, a card that doesn’t have a working chip can still be used via the magnetic stripe.

Alternative approaches

The long term solution – apart from turning off fallback – is to stop having this sort of POS terminal where the card details and customer PIN are both known in the same place. As such, it looks like we’ll need to start looking at

the next generation of card technology for a solution, whereby the smarts and the PIN never leave the customers’ hands -- because they are, for example, in the customer’s mobile phone.

With that approach, even the theoreti-cal threat will be reduced. Fortunately, credit and debit cards are already dis-appearing into mobile phones, which means that the banking sector should be ramping up its efforts in the mobile arena. And, to be fair, they already are.

In the meantime, although certain ele-ments of both of these stories raise a rea-sonable point: how do you make the POS terminal supply chain more secure? The answer is, of course, that you don’t. You put a security module (another smart card, essentially) inside the terminal so that the terminal doesn’t need to be secure.

“Credit and debit cards are already disappearing into mobile phones, which means that the banking sector should be ramping up its efforts in the mobile arena”

This changes the problem of making terminals secure into the problem of mak-ing smart cards secure, which is far more likely to succeed. This is precisely how this technology works within ITSO, the UK transport smart card scheme, where the data is encrypted between the card and the Security Access Module (SAM), so the terminal itself never sees data in the clear. Managing the smart card supply chain securely is something that banks, telecoms operators, and their suppliers already do, and so it shouldn’t be too dif-ficult for them to make it work.

Without this change, the prospects of fraud reducing remain slightly gloomy. Clones of a number of French credit cards have already been found in Europe, and I would imagine that we’ll begin to see this kind of cloning on a large scale as the card verification value for integrat-ed circuit cards (ICVV) base expands. When you add this to the lack of a mass market solution for EMV in the internet

Page 3: Buyer beware?

BUYER BEWARE

Computer Fraud & Security March 201012

and telephone ordering environment, card fraud will continue to be a problem for some time to come.

Going mobile

Again, I come back to the case for mobile commerce (m-commerce) at this point, and the use of near field communications (NFC), a short-range high frequency wireless communication technology that enables the exchange of data between devices, as a way of conducting a variety of electronic transactions securely. The recent breakthroughs in this area are the result of a strategic collaboration between some of the world’s leading mobile technology developers, smart card manufacturers, serv-ice providers and standards bodies, includ-ing members of GlobalPlatform, ETSI, NFC Forum and the GSMA.

This kind of contactless technology makes use of smart cards and radio waves rather than physical contacts to commu-nicate with the chip inside the card. As such, it can be used in areas like mobile ticketing in order to reduce the produc-tion and distribution costs connected with traditional paper-based ticketing channels, and can also increase customer convenience by providing new, secure and simpler ways to purchase tickets.

In fact, since NFC-enabled mobile phones can host payment and ticketing applications, which can be linked to a user’s bank account, the data transfer made possible by NFC will increasingly take the form of actual financial payments. Since most people carry their mobile phones with them every day – whether or not they happen to be carrying any cash – this combination of NFC and mobile phones means that customers will be able to order, pay for, obtain and validate tickets from any location, and at any time, using mobile phones or other mobile handsets.

Of course, whenever contactless tech-nology is mentioned, security concerns are of course raised yet again. Contactless technology, in general, can be attacked in a number of different ways, including proximity attacks like sniffing, eaves-

dropping and relay attacks, to capture unencrypted data with intent to create, for example, clone or counterfeit cards, or to launch replay attacks.

Other side-channel attacks include sim-ple and differential power analysis attacks, fault analysis and possibly timing and glitch attacks. Some of these techniques were used recently to reverse-engineer the CRYPTO-1 algorithm to recover the keys in the Mifare Classic chip. The attackers optimised their attack to a point where it took just a couple of minutes to recover the keys on standard PC equipment after skimming the card.

However, important points and lessons were learned about effectively managing the security of sensitive data in NFC devices as a result. these include the need to protect valuable information with strong (and non-proprietary) cryp-tographic processes and mutual authen-tication in order to ensure that any data sent in the clear is of no significance in mounting other attacks.

Likewise, you can protect against replay attacks by using internal transaction counters. The security mechanisms should obviously extend beyond the NFC device itself into the back-end systems as well, to help protect against cloned or counterfeit cards using hot lists.

“A third of the enterprises who currently offered con-tactless payments said that the technology was actually a benefit in terms of card security and/or privacy”

Trust in contactless systems

Despite these security concerns, it seems that retailers overwhelmingly trust con-tactless technology, according to analysts at the Aberdeen Group. An Aberdeen survey on contactless payments addressed issues concerning a secure environment for contactless transactions. The results of the survey showed that 80% of all respondents surveyed did not see secu-

rity implications to be a chief reason for not considering contactless technology within their enterprise. In fact, a third of the enterprises who currently offered contactless payments said that the tech-nology was actually a benefit in terms of card security and/or privacy.

Even so, mobile payments will still bring their own security challenges. If mobile phones are going to be used as credit cards with £10 000 credit limits, or annual sea-son tickets worth £3,000 on the rail net-works, or as corporate identity cards or log-in devices for bank accounts, or for any of a myriad of other transactional purposes, then the service providers, their customers, and their regulators will need to be confi-dent about the security of the systems.

We think that if stakeholders carry out methodical risk analysis and implement appropriate countermeasures, they will determine not only that mobile payments can be made safe, but that they would actually be crazy to carry on using cards.

About the author

David G.W. Birch is a director of Consult Hyperion, which he helped to found in 1986. Prior to this he spent several years working as a consultant in Europe, the Far East and North America. He graduated from the University of Southampton with a B.Sc (Hons.) in Physics. Described by The Independent newspaper in 2004 as a ‘grade-A geek’, and by the Centre for the Study of Financial Innovation in 2005 as ‘one of the most user-friendly of the UK’s uber-techies’, Dave is a member of the advisory board for European Business Review and UK corre-spondent to the Journal of Internet Banking and Commerce.

He has lectured to MBA level on the impact of new information and commu-nications technologies, written for publica-tions ranging from the Parliamentary IT Review to Financial World and is well-known for his more than 100 “Second Sight” columns in The Guardian’s Online supplement. He is a media commenta-tor on electronic business issues and has appeared on BBC television and radio, Sky and other channels around the world.