The Target data breach which has left tens of millions of payment cards compromised was carried out using off-the-shelf malware authored by a 17 year old Russian, according to security firm IntelCrawler.
Ah, those teenagers... They should be taught about PCI DSS, importance of security and firewalls. And HCE...
Or is it the other way round?..
I think the payments industry (especially when it comes to mobile payments, especially when it comes to Android...) should take a close look at Target breach and give it a deep thought.
And then re-call history of the mobile industry - operators suffered from various security breaches, until SIM cards (aka SE) were introduced... It is EXTREMELY (!) difficult to defraud mobile operators these days. Why? Because their architecture is sound
In particular, the key authentication and security protocols used by the mobile industry are concise and covered on 20-50 pages. Compare that to 800+ pages of EMV specs (and add another hundreds of pages that EMVCo is now working on in respect of tokenisation...)
Here's the thing: It doesn't need to happen again, and here's how to do it.
1. The credit card companies need to wipe everything but the UserID (and, possibly, the company ID) from the card.
2. They then install a fraudproof user authentication system. (A tolerably good description of such a system is at www.designsim.com.au/What_is_SteelPlatez.ppsx).
3. The customer and retailer both have accounts on the authentication system.
4. When the customer needs to make a purchase, or checkout at the POS terminal, he either selects his credit card from a menu, or swipes the card, to identify himself and the card company.
5. This action connects the customer to the authentication system belonging to the appropriate credit card company, passing his user ID and details of the purchase. This includes the retailer's User ID.
6. The credit card company already knows the user's card number, so if his User ID has been authenticated, it accesses the credit card details as it would do under the current system.
7. It then checks for a match with the retailer's submission.
8. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval (or not), pays the retailer etc.
Competitive DOEUK, London
© Finextra Research 2014