Credit card data are a precious commodity in the criminal ecosystem, the number of data breaches involving payment card data continues to increase, fueling the underground market.
Not a week goes by that a new data breach with its compromise of data on payment cards is not recorded.
In the last week, America’s Thrift Stores announced that payment information of some of its customers might have been stolen by hackers who used a PoS malware; meanwhile FireEye has uncovered a new hacking group dubbed FIN5 that hacked payment systems of an unnamed Casino and it has stolen nearly 150,000 credit cards.
This year I had the opportunity to contribute to the annual MEF – Annual Report on Payment Card Frauds issued by the CENTRAL MEANS OF PAYMENT ANTIFRAUD OFFICE (UCAMP) of the Italian Ministry of Economy and Finance.
The report is an interesting analysis full of detailed data on the phenomenon of payment card frauds. The document focuses on payment card frauds (unrecognized transactions) issued in Italy and used everywhere.
In terms of payment channels exploited for fraudulent activities, the Internet is characterized by a growing trend; meanwhile POS and ATM withdrawals are decreasing. However, we are witnessing a decrease in the average value of the individual transactions on all channels.
Internet frauds increased for the fifth consecutive year (+11% in the incidence value and +30% as the fraud value). Since 2011, the number of unrecognized transactions grew by more than three times and now accounts for over half the total number of fraudulent transactions. The phenomenon occurs especially abroad. In the following graph are reported Internet frauds by Italy/Abroad.
The data provided in the report describe a worrying situation that urges a new approach to limit illegal activities involving payment card data.
Figure 1 – MEF – Annual Report on Payment Card Frauds
A Dated Technology against Even More Complex Cyber-Attacks
Payment card frauds in the U.S. account for nearly 50 percent of global fraud losses, according to the Nilson Report; security experts maintain that the main reason is that the country is the last in the world to implement the EMV (EuroPay, MasterCard, and Visa).
Fortunately, the situation is changing also in the U.S., where the banking consumers are about to benefit from EMV against payment frauds, too.
October 1 is the deadline day for merchants in the United States to switch to EMV technology.
The new payment card will use a built-in chip to authorize the transactions. Basically, EMV chips create a one-time-use code needed for each operation; this implementation makes stolen card data less valuable on the underground market.
Chip cards are theoretically impossible to clone, unlike payment cards that are based on the magnetic stripe.
Magnetic stripe cards include a magnetic stripe on the back of the card that is used to store data on three different tracks. Track 1 contains bank information (i.e., account number, holder’s name), Track 2 contains account information and a card verification value (PIN) number, and Track 3 is usually not used.
From the hacker’s perspective, it is quite easy to retrieve credit card data from a card using the magnetic stripe with a skimmer and even more simple it to clone such cards.
The numerous data breaches that recently occurred demonstrated that crooks mainly steal sensitive data by using card skimmers to read a card’s magnetic stripe at an ATM or gas pump or by scraping the memory of PoS terminals with sophisticated malware. This second attack scenario is the same one exploited by hackers in clamorous data breaches such as at Target, Home Depot, and Neiman Marcus.
For now, stolen data were used to mainly make fraudulent purchases; according to Stephanie Ericksen, Visa’s vice president of risk products, two-thirds of fraudulent purchases inside stores are made with counterfeit cards.
EMV cards, unlike the magnetic stripe cards, store encrypted Tracks 1 and 2 data on the chip. Additional information stored on the chip are a cryptogram, that allows the financial institution to verify the integrity of the card and of the transactions, and a counter that gets incremented with each operation. If the counter has a duplicate value or a skipped counter value, it indicates that the card has been used in fraudulent activities.
Despite the enormous improvement introduced with EMV, we cannot consider it as a complete remediation against card frauds, in particular against “Card-Not-Present” (CNP) frauds.
EMV still doesn’t protect users when dealing with e-commerce or mobile commerce platforms.
“The reality is EMV credit cards cannot prevent PoS RAM Scraper attacks. EMV was developed to prevent credit card counterfeiting and not RAM scraping. If the EMV credit card’s Tracks 1 and 2 data are sent to the PoS system for processing, it will become susceptible to RAM scraper attacks because the decrypted data resides in RAM,” states a blog post published by Trend Micro.
The experts are skeptical about some aspects related to the EMV implementation that has been introduced in the U.S. It permits the use of a magnetic stripe on the back of the card despite the presence of the chip.
In addition, EMV implementation doesn’t require encryption of cardholder information for all the transactions.
EMV alone is not sufficient to secure online and mobile payments.
In all the countries where the EMV was introduced, the number of frauds exploiting the Internet channel has dramatically increased, as reported in the following graph related to the Italian situation.
Figure 2 – MEF – Fraud by Channel (Annual Report on Payment Card Frauds)
The frauds exploiting Internet increased by 11.36% from 2013 to 2014; meanwhile, in the same period PoS frauds decreased by 18.68% and ATM withdrawals by 17.94%.
Industry watchers believe that merchants will take time to be compliant with the EMV model by installing EMV equipment in all their stores..
According to the researchers at the Strawhecker Group, U.S. merchants and ATM owners are privileged targets of criminal organizations and probably the situation will not change in the short term because it will be a number of years before we reach significant adoption of EMV.
A number of factors can hamper the introduction of EMV in the U.S.; the most important is probably is the high cost of the migration that it has been estimated at 8.6 billion dollars.
Consider that the cost of a single POS system that is compatible with EMV technology can reach hundreds of dollars and major retailers like Target will have to pay tens of millions of dollars in hardware. Also, don’t underestimate the additional cost of the introduction of the technology and its test in the live environment.
On the other end, banks will have to spend tens of millions to upgrade their internal systems to manage EMV payment card transactions.
Figure 3 – Introduction of EMV in the U.S. (Strawhecker Group)
According to a report released in mid-September by the Strawhecker Group, only a third knew the United States is shifting toward chip readers, but even more disconcerting was that only 27 percent of merchants declared themselves ready for the October deadline.
“The Strawhecker Group (TSG) released survey results today that illustrated only 27 percent of U.S. merchants will be EMV-ready by the October 1st liability shift. This represents a sizable decline from 34 percent estimated in March,” states the consulting company.
Waiting for a complete introduction of the EMV in the U.S. payment industry, retailers and banking industry can protect users adopting a multi-layer approach to security.
Principal recommendations include:
- Implementation of end-to-end encryption when dealing with payment data transmitted from the PoS systems to the financial organizations.
- Adoption of security best practices, such as the payment card industry data security standard (PCI DSS).
- Implement a strong authentication mechanism.
- Protect users by adopting fraud detection systems.
What will change starting from October 1?
One of the most important things for the U.S. users is the shifting of the fraud liability.
From that date, all the industry stakeholders have to be vigilant eve more on fraud patterns; starting in October, if a fraudulent transaction goes through at a merchant that does not have EMV equipment, the bank will not cover the losses that will shift to the merchant.
In some cases, merchants will have an extended deadline due to the additional complexity for the introduction of EMV equipment, this is the case, for example, of gas pumps, which have a two-year grace period.
The Visa Threat Intelligence
Now that we have understood that EMV technology could protect customers for specific frauds, but it cannot ensure a total protection to the bank customers, let’s highlight the importance of threat intelligence in the banking industry.
The payment industry is constantly under attack: Groups of cyber criminals are conducting ever more sophisticated cyber-attacks against financial institutions, merchants, and final customers.
Visa and the security firm FireEye have joined their forces to provide real-time threat information to operators in the industry, such as merchants and issuers, about cyber-threats. The two organizations will offer the product Visa Threat Intelligence starting in late 2015. The Visa Threat Intelligence will deliver to subscribers the information that could allow them to quickly assess and act on the most critical cyber-attacks against payment systems.
Visa and FireEye have designed a web portal that collects valuable information on cyber-threats and ongoing cyber-attacks on the global scale. The service will offer timely alerts on threat actors, their tactics, techniques, and procedures, trends in cyber-attacks, and in-depth forensic reports from recent data breaches.
“Each week, merchants and card issuers receive thousands of alerts about possible cyber-attacks, making it difficult to know which ones to focus on,” said Mark Nelsen, Senior Vice President of Risk Products and Business Intelligence, Visa Inc. “Visa Threat Intelligence removes the noise by assessing hundreds of threat indicators and serving up the most important and timely information. Users can then isolate and address those threats that are the most pressing and potentially damaging to their business and customers.”
The platform will provide also a set of APIs that allow development teams of their customers to automatically feed threat indicator data into their security systems in order to customize their analysis and the way to serve it within the organization.
Ethical Hacking Training – Resources (InfoSec)
FireEye also announced the availability of a premium offer that includes access to advanced tools, powered by the FireEye virtual execution engine (MVX™) technology, that could be used by experts to identify suspicious activities starting from apparently isolated malicious indicators from malware activities.
The Visa Threat Intelligence is much more than a simple platform for early warning of threats and inspecting tools; it also offers the instruments to share threat information within trusted communities. This aspect is essential when dealing with criminal gangs and sophisticated APTs that tend to adopt a quite similar strategy in the different hacking campaigns.
“Attack groups are exceptionally skilled at executing an attack across multiple organizations, identifying successful techniques and scaling those methods to an entire industry,” said Grady Summers, Chief Technology Officer, FireEye, Inc. “By partnering with Visa, we can provide targeted intelligence to the payments industry to combat the economies of scale that attackers employ and help create a community united in a common defense.”
The rapid changes in the IT industry have significant repercussions on every sector, including the financial industry. While banking customers are demanding new channels and services to financial institutions, they are enlarging their surface of attack.
Cyber-threats are evolving rapidly, targeting banking customers. Tracking cybercrime developments on a global scale is a top priority for financial institutions, but the process must be conducted across industries, across channels, and across technologies.
This implies gathering intelligence on cyber-threats from every industry and sharing it among the players in the banking industry; this is the pillar of an intelligence-driven fraud prevention approach.
This cross-industry fraud approach could allow rapid identification of fraud patterns worldwide and adoption of the necessary countermeasures to mitigate the risk of exposure.
The introduction of new technologies, such as the EMV, could improve the security offered to the bank customers, but identifying fraud detection, prevention, and mitigation is crucial for financial institutions.
For this reason, threat intelligence is becoming even more important in the prevention of frauds, but we must consider that a successful intelligence-driven fraud prevention strategy must balance the security requirements of an organization with the overall costs of countermeasures and the possibility of improving the user experience while accessing banking services.