30 October 2014

PCarroll

Pat Carroll - ValidSoft

78 | posts 274,468 | views 38 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Protecting Pin Pad Payment

18 July 2012  |  4295 views  |  1

It was interesting to read in the FT's special on 'Cyberwarfare' recently which identifies that pin pad payment terminals pose a security risk for millions of consumers.

According to MWR InfoSecurity, cybercriminals can use fake cards containing a software code to gain access not only to a customer's PIN and primary account numbers shown on the front of a plastic card, but also to the merchant's IT network. Sophisticated attackers may even be able to gain access to PIN pad terminals without the terminal owner being aware that their security systems have been breached.

This can be done very simply. For example, a customer in a restaurant can pretend to make their payment using a Trojan card which allows them to gain access to the payment terminal. All PIN numbers and other cardholder information that passes through the terminal from that point onwards are then captured by the fraudulent card user using existing communication channels (e.g. WiFi, Bluetooth or a mobile cellular network). Alternatively, these criminals can simply return and re-insert the smart card to collect the recorded data from the payment device.

This is a frightening prospect when you consider that 852m card payments were processed using PIN pad terminals in the UK alone in April according to the UK Cards Association trade body, so it's clear that something needs to be done to address this issue.

This type of fraud is not new, but the way it's being conducted is – and we can expect new methods to continue to develop. What matters is the customers' recourse to hold someone accountable for the failure of protecting their money. Customers will, out of tradition, look to their banks for this recourse, but these days it's not always clear that banks should be the ones held accountable. Should it be the PIN pad manufacturer, or the PIN pad software provider, the merchant perhaps, or the card issuer? I would like to see stronger collaboration amongst all industry players to determine how we tackle this problem as new types of fraud continue to develop and blur the lines of accountability. A unified approach will assure consumers that they do have a clear route to recourse and this in turn will restore their confidence in old and new payment systems.

In order for security to be properly adopted and implemented, unfortunately we must accept that the initial premise must be that all elements that constitute an electronic transaction are potentially compromised – stark, but true in today's world. If we apply this premise to authentication of the parties to any transaction, and the validation of the integrity of the transaction itself, then we are firmly on the road to a new approach to ensuring authenticity, transaction integrity and validity. Such technologies exist but are not widely deployed – hence the problems we experience today – we need to move to this new standard. The key lies in a multi-factor, layered approach to security, incorporating real-time invisible and visible layers relative to the bank's perceived risk of the transaction, but most importantly not compromising the intuitiveness of the customers experience. In essence: speed, strong security, efficiency, good customer service, ease of use – while shutting down the scope for fraudsters to benefit from their crime. The key lies in real-time detection, prevention and immediate resolution enabled by the empowered customer leading to: more self-service; better self-service, and above all, safer self-service! 

TagsCardsSecurity

Comments: (1)

A Finextra member | 20 July, 2012, 13:41

I agree with some of the comments of the FT site - seems poorly written and obscure to say the least, and old news too.

Its not slear to me how a hi-tech card can do any such thing with a genuine pinpad terminal, but a cloned or faked pinpad terminal would be very powerful indeed.  Not all Merchants are genuine, and so allowing a fake pinpad/pos device to be used can capture all the PIN input and magstripe too.  Then replay those captured transactions later on a real POS and you still have the captured details to go withdraw ATM cash and sell.

I doubt the chip can be compromised though.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Chip and Signature, a Paradise Lost

28 October 2014  |  1409 views  |  1  |  Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  3018 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  891 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2499 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith