24 November 2017

44975

Retired Member

3,226Posts 11,701,273Views 3,485Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Mobile Payment Fraud: Emerging Ground for Cyber Criminals

08 May 2015  |  11458 views  |  2

We may love the Hollywood movies about amazing bank or jewelry heists, armored car robberies, art scams and the like, but smart criminals figured out long ago that a good financial data breach is a much more lucrative form of criminal activity. And it comes with the added benefit of much lower risk of arrest and little chance of being shot at or even getting a cold working outside in the wee hours of the night.

Target, JP Morgan Chase, the Home Depot and some of the biggest names in banking and retail with some of the biggest IT security budgets in the industry have been hacked and customer financial data has been sold to the highest bidder. Losses are not calculated in millions, but in billions of dollars.

Changing payment scenario

Data breaches directed towards consumer mobile devices are less appealing to hackers compared to hacking into a central server or merchant terminals that offer the financial data of millions of customers. When incidents of financial data breach peaked in 2013, hacking into servers constituted half of all the attacks. Still, the adoption of mobile proximity payments and the presence of sensitive financial data on mobile devices will definitely entice the tech savvy criminal out there. Instead of being protected by the simple “offline” nature of a plastic card, sensitive payment data on always-connected smartphones are naturally more accessible and potentially more at risk. A breach on a single smartphone can be the proverbial tip of the iceberg in a potential massive mobile payment fraud. A successful attack method has great value to criminals who may sell or share the method. Until that attack method is known and countermeasures can be implemented, all other devices with the same vulnerability are potential sitting ducks. A great deal of damage can be done before the exploit is identified and eliminated.

The threats

While data theft criminals may exploit existing hacking methods such as charge wares and ransom wares, increasingly sophisticated and diligent hackers will not fail to invent new strategies to attack phones to access financial data. Here are some of the issues keeping security professionals awake at night to prevent mobile payment fraud.

Distribution platform

Malware such as Trojan versions of otherwise legitimate financial applications can be pushed by attackers to the devices via distribution platforms that are either unregulated or under regulated.

Data storage, access, secrecy

If financial data is not sufficiently secured in the phone and access protected, it is an open invitation to hackers. Financial data is exposed by analysis after a physical theft or by making the application send the sensitive information remotely depending on the degree and type of deficiency in security.

Application integrity

A breach in the application integrity is a serious threat since it can potentially expose scores of active applications in the field to the same threat. The attacker can potentially modify the application to send sensitive financial information to a server, cause the application to behave in an unwanted manner, or harvest the IP from inside the application that is not well protected.

Interaction with other entities

Any deficiencies in the interaction of the mobile application with other entities, such as the contactless reader and the backend servers, will also be potentially exploited by mobile payment hackers. Weak authentication or a flaw in message security can jeopardize not only the mobile payment application but also the associated server. A capture and replay attack on the open un-encrypted communication with the contactless reader has been demonstrated recently (e.g. Apple Pay transaction replay demo).

Protection strategies

To counter these threats several security strategies are required to prevent mobile payment fraud. The best security practices dictate that security be a design principal across the board. Security must be baked in from design to deployment; beginning at the firmware level and continuing through middleware on to server-based platforms. The role of smartphones in mobile payment means these principles are especially important to on-device software.

Better regulation of distribution platforms

Malware penetration in un-regulated channels is as high as 33%. Distribution level vulnerabilities can be addressed by better regulation of application distribution channels to prevent exploitation by hackers pushing malwares and Trojanized apps into devices. In the absence of sufficient regulation, the fall back strategy is to enforce strict security policies at the application level, the lack of which in the less secure applications is exploited by hackers. Strict rules around enforcement of app certification and distribution are also important.

Anti-malware guards

The first strategy against malware is to actively test for new vulnerabilities, discover malware signatures as soon as possible, and update the mobile system level guards (e.g. “App verify” from Google).

Card profile level strategies:

  • Phase out less secure profiles: Issuers can do away with card profiles that are prone to replay attack in the unsecured communication with the contactless reader. This includes those profiles that do not interactively create cryptograms with the readers.
  • Restrict transaction limits: Tokenization reduces the amount of vulnerable and information susceptible to compromise stored in phone memory by replacing sensitive data such as the personal account number (PAN) with an alternate identifier or token. Issuers can consider keeping the upper transaction limit for the token low enough to deter attackers.

Stringent certification criteria

Certifying authorities can raise the bar high enough for certifying applications that hold financial data. This means defining strict security requirements in application security areas such as data storage, application integrity and communication.

Obfuscation, white-box cryptography and other in-app strategies

Adaption of techniques such as obfuscation, white-box cryptography and proprietary protection strategies within the application code against various threats by the application providers will help minimize the threats. Software on-device must defend against static code analysis and reverse engineering. This is all the more important in case of devices that do not have hardware based security such as a secure element to store sensitive data. Care must be taken that the security measures do not negatively affect the performance and the user experience.

End user education

Application providers and issuers can warn end users about the threat possibilities and educate them about best practices in using the mobile financial applications to minimize threats.

Mobile payment fraud – end note

History has shown that cyber criminals are not discouraged by even very difficult to find vulnerabilities. They are known to devise novel ways to beat the technology and commit fraud. Vendors and participants in the mobile payments ecosystem must identify all the vulnerabilities, address them sufficiently, and constantly reevaluate security. It’s either that or become the unwilling protagonist in a B movie production about a patsy getting scammed out of millions. And as they saying goes, if you don’t know who the patsy is, it’s probably you.

 

TagsSecurityMobile & online

Comments: (2)

Nick Collin
Nick Collin - Collin Consulting Ltd - London | 11 May, 2015, 10:21

Nice post Marcelo.  This is going to become an increasingly important issue.

1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 May, 2015, 14:09

To your list, let me add Apple Pay Fraud, arguably the most sensational form of mobile payment fraud since it's the only type of it in which a thief can steal lower cost, lower risk CNP data to commit a higher risk, higher value CP fraud (Source: http://krebsonsecurity.com/2015/03/apple-pay-bridging-online-and-big-box-fraud/). Unlike the instore replay fraud you've mentioned, Apple Pay Fraud happens at the card provisioning stage.

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3164 posts3,485 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Dharmesh Mistry
David Andrzejek
Ralf Ohlhausen
Tom Hay
Nicola Cowburn
Michael Wright
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan