Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
@NTXISSA #NTXISSACSC3
EMV and the Future of Payments
Dr. Branden Williams
@BrandenWilliams
http://www.brandenwilliams.com/
2 October 2015
@NTXISSA #NTXISSACSC3
The Threat Landscape
2
@NTXISSA #NTXISSACSC3
How many states currently have data
breach legislation on the books?
@NTXISSA #NTXISSACSC3
How many questions are asked to Siri
in any given minute?
@NTXISSA #NTXISSACSC3
According to the National Association
of Federal Credit Unions, what was the
average amount spent by member
institutions on merchant data breaches
in 2014?
@NTXISSA #NTXISSACSC3
FUN STUFF GOES HERE
Sorry, had to be present!
6
@NTXISSA #NTXISSACSC3
The Results of a Data Breach Cause Significant
Impacts Across Business Operations
7
Reputational Risk Damage Negative Impact to Your Brand
AND
Investigation
of BreachFines/Liability
Loss of
Confidential
Business
Information
Remediation of
Breach
@NTXISSA #NTXISSACSC3
The Cost of a Data Breach is Staggering
•Since 2013, many major retailers experienced data breaches:
8
Reject cost-per-record estimates, just understand it’s expensive.
@NTXISSA #NTXISSACSC3
Four Key Cyber Assets Targeted by Criminals
9
POS Environments
• 49% of POS intrusions account for 40% of all assets targets.
• If a POS is attacked, it is most likely the business will be US based.
Credit Cards
• 49% of breach investigations involved Personally Identifiable Information (PII) and cardholder data.
• Attackers shifted focus back to payment card from non- payment card.
eCommerce
• Accounted for 42% of all investigations in 2014.
• 64% of retail industry breaches were eCommerce
• “Password1” was still the most commonly used password.
Mobile Apps
• 95% of mobile applications are vulnerable.
• 35% of mobile apps had critical issues
• 45% of mobile apps had high-risk issues.
• 6: Median number of vulnerabilities per mobile app.
SOURCE: 2015 TrustWave Global Security Report.
@NTXISSA #NTXISSACSC3
POS Malware Poses an Insidious Threat
10
• POS malware is extremely
lucrative for criminals and
extraordinarily difficult to
detect.
• In 60% of cases, attackers are
able to compromise an
organization within minutes.
• POS breaches account for
nearly one-third of all types of
breaches.
Nine Main Types of Breaches
SOURCE: Verizon 2015 Data Breach Investigations Report.
@NTXISSA #NTXISSACSC3
Data Protection is Top of Mind for Today’s Executives
11
Preserve Stakeholder Value
Avoid Costs Due to Remediation and a
Negative Brand Image.
Secure POS Systems
Protect Your Customers’ Data During and After
the Transaction Process.
End-to-End Protection
Minimal Operation and Systems Impact.
Benefits of Data Protection
@NTXISSA #NTXISSACSC3
Or is it?
12
@NTXISSA #NTXISSACSC3
Really Guys? </Cartman>
Oxford University and the UK’s Centre for the Protection of the National Infrastructure survey results:
“Concern for
cybersecurity was
significantly lower
among managers
inside the C-suite
than among
managers outside it.”13
Winnefeld Jr, P. A. S., Kirchhoff, C., & Upton, D. M. (2015). Cybersecurity's human factor: Lessons from the pentagon. Harvard Business Review, 93(9), 87-95.
@NTXISSA #NTXISSACSC3
So how does EMV help?
NTX ISSA Cyber Security Conference – October 2-3, 2015
14
@NTXISSA #NTXISSACSC3
EMV Highlights•Widely adopted 1990s technology
•Designed to facilitate offline transactions &
minimize card-present fraud (over time)
•The US implemented a Chip & Choice
version (not exclusively Chip & PIN)
•PIN transactions will occur, but likely
remain debit-focused
•Most will do Chip & Sign, or just Chip
•Modern implementations are surprisingly
effective
15
@NTXISSA #NTXISSACSC3
Fraud in the UK
16Figures from Fraud the Facts, 2015. UK Payments Administration.
@NTXISSA #NTXISSACSC3
Fraud in the UK
17Figures from Fraud the Facts, 2015. UK Payments Administration.
@NTXISSA #NTXISSACSC3
Targets will change•Fraudsters will move away from magstripe to focus on card-
not-present, and other types of attacks to gain funds
•But attack mechanisms have not changed much•Malware•Vishing•Large-scale hacks
•What EMV considers routing data, we consider
sensitive data:•Vishers may not call to ask for PIN, but instead CVV2•Some merchants may accept transactions without CVV2
18
@NTXISSA #NTXISSACSC3
What does this mean for online retail?
•Online merchants traditionally do not want to get in the way
of a transaction:•First iteration of 3DSecure was awful•Merchants hate it due to abandoned carts•Rather take the risk on a transaction
•Think about how IT works today vs. ten
years ago…
19
@NTXISSA #NTXISSACSC3
Chargeback Process
20Image from Willows Consulting
@NTXISSA #NTXISSACSC3
Who should deploy EMV?
•Card present merchants with high chargeback rates
•Especially those that sell gift cards!
•Where will fraud shift in the CNP space?•Digital Goods•High value items•Anything that can be easily fenced or converted to cash
21
@NTXISSA #NTXISSACSC3
What’s Next?•Pervasiveness of technology expands attack surface
•Where are payments moving?•Mobile (expected to eclipse PCs for CNP transactions in 2015)•Platforms with users explore financial exchange (Twitter, Facebook)
•What is attractive for criminals?•Any of the e-wallet options such as Samsung Pay or Apple Pay•Pre-paid cards (targets the under-banked)•Weakly secured accounts
22
@NTXISSA #NTXISSACSC3
A few thoughts about how payments can morph…
23
@NTXISSA #NTXISSACSC3
Questions / Discussion
Dr. Branden Williams
@BrandenWilliams
http://www.brandenwilliams.com/
24
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 25
Thank you