01 September 2014

PCarroll

Pat Carroll - ValidSoft

74 | posts 261,280 | views 37 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Chip and Skim Cards: Renewed Need for Layered Authentication

03 June 2014  |  2153 views  |  0

In the ongoing game of one-upmanship between hackers and payment fraud prevention technology, new research presented at the 35th IEEE Symposium on Security and Privacy suggests that the fraudsters have yet another vector to utilize, exploiting new vulnerabilities within existing implementations of EMV/Chip and Pin.

The new research suggests that cryptographic weakness in some devices implementing EMV (Chip and PIN) standards and potentially a flaw in the EMV design, could now provide hackers with yet another avenue to compromise card transactions and cause massive headaches to consumers and potential losses for financial institutions and card issuers.

In the whitepaper Chip and Skim: cloning EMV cards with the pre-play attack” prepared by a team at University of Cambridge, researchers identified two observed weaknesses in deployed Chip and PIN terminals. First, terminals with poorly designed random number generators can create non-random or predictable numbers when “chipped” cards are used to produce a transaction-specific authentication code. With physical access to the devices, or via a compromised network (such as was the case in the Target breach), these terminals can also be tampered with to influence the random number generator. Second, researchers identified the ability to tamper with the Chip and PIN terminal’s communications back to the bank.

Given the increasing sophistication of today’s criminals, we need to change our approach. As I and others in the payment authentication industry have long advocated, any single technology approach to preventing fraud can be circumvented, by-passed, or exploited, given time and the will to do so. That is why we cannot simply rely on any particular method (putting all our eggs in one basket as some would say) – when what is really needed is a layered approach.

Multifactor authentication is the key, and it is ready to be deployed in the field. State-of-the-art multi-factored authentication solutions to fight card fraud can now employ “low friction” techniques such as voice biometrics and real-time, invisible checks, such as proximity correlation (the ability to determine in real-time whether or not the legitimate customer is present at the time the transaction is being performed). With this combination of technology, payment processors, financial institutions and others within the transaction payment chain can query the authenticity of the customer who is performing the transaction BEFORE the transaction is completed. All that is required is that the customer simply needs to have their cell phone or mobile device with them and turned on. If the genuine customer is not carrying out the transaction, then the transaction will be aborted BEFORE the fraudster can make off with the goods or money.

While the fraud cost itself is significant, the lost revenue and frustration of customers as a result of False Positives (when a legitimate customer is rejected from making a transaction) also costs the financial institution. Legacy security solutions tend to focus on trying to prevent every fraud rather than ensuring no legitimate customer gets rejected. By using proximity correlation, it is possible to virtually eliminate fraud, achieve an enhanced customer experience and reduce costs substantially. All in all, it’s a win, win, win situation.

Importantly, this technology works for all card transactions (credit and debit) and is privacy compliant as the genuine customer’s location is never revealed (it can be used in an opt-out model as well). Suitable for all types of card skimming with mag stripes today as well as future technologies including RFID, NFC and EMV, infrastructure investments are protected and strong ROIs generated. Furthermore, with the right privacy compliance in place, the Mobile Operators can provide the infrastructure to enable such advanced fraud prevention, thereby generating good recurring revenues in return for access to their signalling.

If the expectation of the industry is that EMV is infallible then as this article highlights, the fraudsters are only a step away from compromising EMV, in more ways than one. We surely cannot place all our trust in any single fraud prevention technology, and proximity correlation is the ideal complementary technology to move the fight against fraud to a new level. Countries that have already implemented EMV can protect their investment and inject a high level of future proofing into the fight against fraud, whilst countries such as the US can press ahead with the implementation of proximity correlation today pending their implementation of EMV. Who knows, in the US alone, the largest single target in the world for card fraud, the savings over the next couple of years may even pay for EMV!

 

 

TagsCardsSecurity

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1650 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2385 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

'Trust but Verify' : Trust in Data Protection and Mobile

13 June 2014  |  2297 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Chip and Skim Cards: Renewed Need for Layered Authentication

03 June 2014  |  2153 views  |  0  |  Recommends 0 TagsCardsSecurityGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Kenneth Carnesi
Andrew Smith