New trends in Payments Security: NFC & Mobile
-
Upload
sisa-information-security-pvtltd -
Category
Technology
-
view
835 -
download
2
Transcript of New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
www.sisainfosec.com
SISA Information Security
Speaker
Qualifications: PCI QSA, PA-QSA, CISA, CISSP, CEH, FCA, ISO 27001 Implementer, CEH, OCTAVE (SEI-CMU) Authorized Trainer and Advisor, SANS Certified Web Application Pen Tester (GWAPT), Microsoft Certified Professional (MCP), VISA Qualified Payment Application Security Professional (VISA QPASP)
Dharshan Shanthamurthy, Founder and Chief Executive Officer
Payment Security Expert. Worked on Aadhar initial security framework and was the lead author of the PCI DSS Standard Risk Assessment Guidance document.
Amongst the first PCI Qualified Security Assessors of the PCI Council. First PCI QSA in Asia.
OCTAVE Authorized Trainer from Software Engineering Institute, Carnegie Mellon University.
Author of the CPISI and CISRA Certification programs.
Email: [email protected] Linkedin: dharshanshanthamurthy
SISA Information Security
Session Objective
Mobile and NFC Technology based Payments
Payment Card Industry Ecosystem
Challenges and Solutions with respect to payment security
Mode: Interactive
SISA Information Security
Mobile Payments
SISA Information Security
Global Mobile Payment Transaction Volumes from 2015 to 2019 (In Billion US Dollars)
This statistic shows
the global mobile
payment transaction
volume from 2015 to
2019. The worldwide
mobile payment
volume in 2015 was
450 billion U.S.
dollars and is
expected to surpass
1 trillion U.S. dollars in 2019.
SISA Information Security
Three routes for contactless payments
SISA Information Security
Near Field Communication (NFC)
Near Field Communication (NFC) is shaping the
future of mobility and is becoming the system of
choice for mobile payments.
NFC is a technology that has been around already
for years, but has gained much attention after
Apple announced that the new IPhone 6 line was
fitted with the technology for credit card-less
payments.
NFC is a short-range high frequency wireless
communication technology that enables the
exchange of data between devices over about a 10
cm distance.
SISA Information Security
Players likely to drive growth in global mobile payments
SISA Information Security
PayPal PayPal, Paydiant and mobile payments
PayPal has been an ecommerce force for years. In March, news broke of PayPal's plan to acquire startup
Paydiant, a platform that companies use to build branded mobile-payment and loyalty-card services. Subway,
Capital One and retail consortium Merchant Customer Exchange (MCX) already use Paydiant's platform,
according to the IDG News Service. Paydiant lets consumers pay for items via their mobile devices using NFC
and QR codes.
PayPal also said in March that it would sell NFC-equipped versions of its credit card readers to merchants. SISA Information Security
Innovation by Amex
Amex also recently partnered with Jawbone to add mobile
payment features to the company's upcoming UP4 fitness
tracker.
American Express is experimenting with facial recognition
and wearable technology that could form the foundation
for new mobile-payment and security features
Amex tests new ways of using its payment services on
devices such as the Apple Watch and Google Glass in its
own tech development lab. SISA Information Security
Innovation by Samsung
Samsung has announced Samsung Pay, which uses two
different wireless technologies: NFC and magnetic secure
transmission (MST).
LoopPay developed the MST, which has been embedded
as a copper ring inside the new Samsung Galaxy S6
smartphones.
Samsung Pay, NFC and MST
Samsung Pay was launched in the summer of 2015
SISA Information Security
Samsung’s MST
Magnetic Secure Transmission (MST) is a technology that
emits a magnetic signal that mimics the magnetic strip on
a traditional payment card. MST sends a magnetic signal
from your device to the payment terminal's card reader (to
emulate swiping a physical card without having to upgrade
the terminal’s software or hardware). MST technology is
accepted at nearly all payment terminals with a card
reader. Some payment terminals may require software
updates. Simply select a card from Samsung Pay, and
transmit the payment information by moving your device
within an inch of the payment terminal. Your transaction
and payment information will be kept private and secure
with the use of tokenization. MST is more secure than
using a traditional payment card and is as secure as
paying with Near Field Communication (NFC).
SISA Information Security
Apple Pay
The Apple Pay mobile-payment and digital-wallet system
debuted in October 2014.
It lets consumers with NFC-enabled iPhone 6, iPhone 6
Plus, and Apple Watch devices pay in stores at
contactless terminals and buy goods using apps that
support the service.
Apple Pay's impact was significant and immediate.
More than a million credit cards were registered for use
with the service in its first three days of availability.
SISA Information Security
Vulnerabilities of Mobile Payments
New processes create new security vulnerabilities. Over-
the-air provisioning of payment credentials and
applications, for example, potentially creates new attack
vectors for eavesdroppers to steal and misuse customer
data.
SISA Information Security
The 2015 Mobile Payment Security Study, released by ISACA, showed that the growing concerns over
mobile security safety.
Basked on the survey results, ISACA ranked the following
risks and vulnerabilities associated mobile payments:
• Use of public WiFi (26 %)
• Lost or stolen devices (21 %)
• Phishing/shmishing (phishing attacks via text messages) (18 %)
• Weak passwords (13 %)
• User error (7 %)
• There are no security vulnerabilities (0.3 %)
Vulnerabilities of Mobile Payments
SISA Information Security
Risks Associated with Mobile Payments
Failure to understand exactly where and how sensitive account data is stored and transmitted can prevent organizations from clearly defining and implementing data protection solutions.
Phishing/smishing (phishing conducted over SMS): More often than not, mobile phishing attacks targeted credit card and bank card data.
Insecure Coding: The app itself could also have coding or process flaws, which can lead to leaked banking information.
SISA Information Security
Risks Associated with Mobile Payments
Device Theft: Additionally, if the device is lost or stolen, the stored financial data could be whisked for malicious purposes. If you’re not careful, your data and credentials could end up in the wrong hands.
A report from Kaspersky Lab highlights how mobile malware became more sophisticated, with "mobile Trojans which could check on the victim's balance to ensure the maximum profit."
Man-in-the-Middle (MitM) attacks via fake or malicious apps and data breaches to take advantage of the new payment methods.
SISA Information Security
1983 Re-embossed counterfeit fraud
1988 Re-encoded counterfeit fraud
1989 Card not present fraud/ fraud applications
1991 Never received issued fraud
1992 Merchant fraud
1994 Identity Theft
2000 Skimmed counterfeit
2002 Communications interception
2007 Wireless/ Chip sniffing and card counterfeit/ Fake terminals
2010-14 Server Hacking/Malware/Memory Scrapping
Payment Card Fraud Evolution
SISA Information Security
Some more Mobile Payment Risks
SISA Information Security
Payment Data Breaches
The survey was conducted by the Ponemon Institute. It involved a survey of 3,773 IT security practitioners from more than a dozen major industry sectors in the United States, United Kingdom, Germany, France, Belgium, Netherlands, Japan, India, Russian Federation, Middle East and South Africa. Industries represented include communications, entertainment & media, financial services, government, healthcare, hospitality, IT Services, retail, technology, transportation and utilities.
SISA Information Security
Hilton Hotel Breach Hilton Worldwide was a target of an attack by means of a malware that was installed on their point of sale (PoS) systems at restaurants and shops in certain Hilton hotels including Waldorf Astoria, Embassy Suites, and Hampton Inn and Suites.
Hilton announced ‘Customers who used their payment cards between November 18 and December 5, 2014, or April 21 and July 27, 2015, may be affected by the info-stealing malware.’
Hilton customers’ personal information such as cardholder names, payment card numbers, security codes, and expiration dates are believed to have been compromised by the PoS malware, but no addresses or personal identification numbers (PINs) were affected.
SISA Information Security
Starwood Hotels Credit Card Breach at over 50 locations
Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and stores in 54 Starwood hotels in North America
"The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date,"
Similar examples of Hotels being targeted by malware on their payment systems: • Trump Collection
• Mandarin Oriental Hotels
SISA Information Security
Wendy’s Card Data Breach
As many as 6000 locations were affected by the breach in December 2015
Jimmy John's, Rainforest Cafe, Morton's, P.F. Chang's, and Dairy Queen have been victims of credit card hacks since 2014.
"Traditionally [POS systems] have been some of the weakest spots [in a restaurant's operations... because restaurant owners] tend to do really sloppy things like enable the same password for each system.“, Security Experts.
In all the above cases, Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online.
SISA Information Security
LoopPay Attack and Breach
LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers (Codoso Group).
The attackers are believed to have broken into LoopPay’s corporate network, but not the production system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay.
LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet
SISA Information Security
Other facts
As well, ownership for payment data security is not centralized, with 28% of respondents saying responsibility is with the chief information officer, 26% saying it is with the business unit, 19% with the compliance department, 15% with the chief information security officer and 14% with other departments.
Hackers are targeting the latest technology in mobile payments
According to the independent study, 55% said they did not know where all their payment data is stored or located.
Senior threat researcher Numaan Huq who spoke about the current PoS security landscape, explained POS malware still remain a threat despite the newer payment technologies.
With the recent introduction of new payment technologies such as EMV and RFID contactless cards, business are expected to upgrade to new secure payment systems. However, attackers will attempt to come up with new strategies against these improved systems and environments.
SISA Information Security
How to Secure Payment Environment
Payment Security Standards – PCI DSS, PA DSS and PCI PIN
Training - Get the teams trained on Payment Security Implementation
Payment Security Risk Assessment
Payment Data Discovery
Effective Segmentation in between Payment data and Non payment data.
SISA Information Security
OS Hardening – • Deploying DB in the same
server • Patch management
• Firewall – securely configuring the FW is more important
• IPS – configure it for dropping the packets
• VAPT • Web App PT • Firewall Rule review
• Encrypting the DB credentials • Storing truncated PAN, instead
of full PAN and CVV2
Process
Application
Server
Network
PCI Security Layered Approach
SISA Information Security
PCI for Protecting Payments SISA Information Security
Thank You! Please feel free to write any questions to [email protected]
SISA Information Security