New trends in Payments Security: NFC & Mobile

www.sisainfosec.com

SISA Information Security

Speaker

Qualifications: PCI QSA, PA-QSA, CISA, CISSP, CEH, FCA, ISO 27001 Implementer, CEH, OCTAVE (SEI-CMU) Authorized Trainer and Advisor, SANS Certified Web Application Pen Tester (GWAPT), Microsoft Certified Professional (MCP), VISA Qualified Payment Application Security Professional (VISA QPASP)

Dharshan Shanthamurthy, Founder and Chief Executive Officer

Payment Security Expert. Worked on Aadhar initial security framework and was the lead author of the PCI DSS Standard Risk Assessment Guidance document.

Amongst the first PCI Qualified Security Assessors of the PCI Council. First PCI QSA in Asia.

OCTAVE Authorized Trainer from Software Engineering Institute, Carnegie Mellon University.

Author of the CPISI and CISRA Certification programs.

Email: dbs@sisainfosec.com Linkedin: dharshanshanthamurthy

SISA Information Security

Session Objective

Mobile and NFC Technology based Payments

Payment Card Industry Ecosystem

Challenges and Solutions with respect to payment security

Mode: Interactive

SISA Information Security

Mobile Payments

SISA Information Security

Global Mobile Payment Transaction Volumes from 2015 to 2019 (In Billion US Dollars)

This statistic shows

the global mobile

payment transaction

volume from 2015 to

2019. The worldwide

mobile payment

volume in 2015 was

450 billion U.S.

dollars and is

expected to surpass

1 trillion U.S. dollars in 2019.

SISA Information Security

Three routes for contactless payments

SISA Information Security

Near Field Communication (NFC)

Near Field Communication (NFC) is shaping the

future of mobility and is becoming the system of

choice for mobile payments.

NFC is a technology that has been around already

for years, but has gained much attention after

Apple announced that the new IPhone 6 line was

fitted with the technology for credit card-less

payments.

NFC is a short-range high frequency wireless

communication technology that enables the

exchange of data between devices over about a 10

cm distance.

SISA Information Security

Players likely to drive growth in global mobile payments

SISA Information Security

PayPal PayPal, Paydiant and mobile payments

PayPal has been an ecommerce force for years. In March, news broke of PayPal's plan to acquire startup

Paydiant, a platform that companies use to build branded mobile-payment and loyalty-card services. Subway,

Capital One and retail consortium Merchant Customer Exchange (MCX) already use Paydiant's platform,

according to the IDG News Service. Paydiant lets consumers pay for items via their mobile devices using NFC

and QR codes.

PayPal also said in March that it would sell NFC-equipped versions of its credit card readers to merchants. SISA Information Security

Innovation by Amex

Amex also recently partnered with Jawbone to add mobile

payment features to the company's upcoming UP4 fitness

tracker.

American Express is experimenting with facial recognition

and wearable technology that could form the foundation

for new mobile-payment and security features

Amex tests new ways of using its payment services on

devices such as the Apple Watch and Google Glass in its

own tech development lab. SISA Information Security

Innovation by Samsung

Samsung has announced Samsung Pay, which uses two

different wireless technologies: NFC and magnetic secure

transmission (MST).

LoopPay developed the MST, which has been embedded

as a copper ring inside the new Samsung Galaxy S6

smartphones.

Samsung Pay, NFC and MST

Samsung Pay was launched in the summer of 2015

SISA Information Security

Samsung’s MST

Magnetic Secure Transmission (MST) is a technology that

emits a magnetic signal that mimics the magnetic strip on

a traditional payment card. MST sends a magnetic signal

from your device to the payment terminal's card reader (to

emulate swiping a physical card without having to upgrade

the terminal’s software or hardware). MST technology is

accepted at nearly all payment terminals with a card

reader. Some payment terminals may require software

updates. Simply select a card from Samsung Pay, and

transmit the payment information by moving your device

within an inch of the payment terminal. Your transaction

and payment information will be kept private and secure

with the use of tokenization. MST is more secure than

using a traditional payment card and is as secure as

paying with Near Field Communication (NFC).

SISA Information Security

Apple Pay

The Apple Pay mobile-payment and digital-wallet system

debuted in October 2014.

It lets consumers with NFC-enabled iPhone 6, iPhone 6

Plus, and Apple Watch devices pay in stores at

contactless terminals and buy goods using apps that

support the service.

Apple Pay's impact was significant and immediate.

More than a million credit cards were registered for use

with the service in its first three days of availability.

SISA Information Security

Vulnerabilities of Mobile Payments

New processes create new security vulnerabilities. Over-

the-air provisioning of payment credentials and

applications, for example, potentially creates new attack

vectors for eavesdroppers to steal and misuse customer

data.

SISA Information Security

The 2015 Mobile Payment Security Study, released by ISACA, showed that the growing concerns over

mobile security safety.

Basked on the survey results, ISACA ranked the following

risks and vulnerabilities associated mobile payments:

• Use of public WiFi (26 %)

• Lost or stolen devices (21 %)

• Phishing/shmishing (phishing attacks via text messages) (18 %)

• Weak passwords (13 %)

• User error (7 %)

• There are no security vulnerabilities (0.3 %)

Vulnerabilities of Mobile Payments

SISA Information Security

Risks Associated with Mobile Payments

Failure to understand exactly where and how sensitive account data is stored and transmitted can prevent organizations from clearly defining and implementing data protection solutions.

Phishing/smishing (phishing conducted over SMS): More often than not, mobile phishing attacks targeted credit card and bank card data.

Insecure Coding: The app itself could also have coding or process flaws, which can lead to leaked banking information.

SISA Information Security

Risks Associated with Mobile Payments

Device Theft: Additionally, if the device is lost or stolen, the stored financial data could be whisked for malicious purposes. If you’re not careful, your data and credentials could end up in the wrong hands.

A report from Kaspersky Lab highlights how mobile malware became more sophisticated, with "mobile Trojans which could check on the victim's balance to ensure the maximum profit."

Man-in-the-Middle (MitM) attacks via fake or malicious apps and data breaches to take advantage of the new payment methods.

SISA Information Security

1983 Re-embossed counterfeit fraud

1988 Re-encoded counterfeit fraud

1989 Card not present fraud/ fraud applications

1991 Never received issued fraud

1992 Merchant fraud

1994 Identity Theft

2000 Skimmed counterfeit

2002 Communications interception

2007 Wireless/ Chip sniffing and card counterfeit/ Fake terminals

2010-14 Server Hacking/Malware/Memory Scrapping

Payment Card Fraud Evolution

SISA Information Security

Some more Mobile Payment Risks

SISA Information Security

Payment Data Breaches

The survey was conducted by the Ponemon Institute. It involved a survey of 3,773 IT security practitioners from more than a dozen major industry sectors in the United States, United Kingdom, Germany, France, Belgium, Netherlands, Japan, India, Russian Federation, Middle East and South Africa. Industries represented include communications, entertainment & media, financial services, government, healthcare, hospitality, IT Services, retail, technology, transportation and utilities.

SISA Information Security

Hilton Hotel Breach Hilton Worldwide was a target of an attack by means of a malware that was installed on their point of sale (PoS) systems at restaurants and shops in certain Hilton hotels including Waldorf Astoria, Embassy Suites, and Hampton Inn and Suites.

Hilton announced ‘Customers who used their payment cards between November 18 and December 5, 2014, or April 21 and July 27, 2015, may be affected by the info-stealing malware.’

Hilton customers’ personal information such as cardholder names, payment card numbers, security codes, and expiration dates are believed to have been compromised by the PoS malware, but no addresses or personal identification numbers (PINs) were affected.

SISA Information Security

Starwood Hotels Credit Card Breach at over 50 locations

Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and stores in 54 Starwood hotels in North America

"The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date,"

Similar examples of Hotels being targeted by malware on their payment systems: • Trump Collection

• Mandarin Oriental Hotels

SISA Information Security

Wendy’s Card Data Breach

As many as 6000 locations were affected by the breach in December 2015

Jimmy John's, Rainforest Cafe, Morton's, P.F. Chang's, and Dairy Queen have been victims of credit card hacks since 2014.

"Traditionally [POS systems] have been some of the weakest spots [in a restaurant's operations... because restaurant owners] tend to do really sloppy things like enable the same password for each system.“, Security Experts.

In all the above cases, Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online.

SISA Information Security

LoopPay Attack and Breach

LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant, was the target of a sophisticated attack by a group of government-affiliated Chinese hackers (Codoso Group).

The attackers are believed to have broken into LoopPay’s corporate network, but not the production system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay.

LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission, or MST, which is a key part of the Samsung Pay mobile payment wallet

SISA Information Security

Other facts

As well, ownership for payment data security is not centralized, with 28% of respondents saying responsibility is with the chief information officer, 26% saying it is with the business unit, 19% with the compliance department, 15% with the chief information security officer and 14% with other departments.

Hackers are targeting the latest technology in mobile payments

According to the independent study, 55% said they did not know where all their payment data is stored or located.

Senior threat researcher Numaan Huq who spoke about the current PoS security landscape, explained POS malware still remain a threat despite the newer payment technologies.

With the recent introduction of new payment technologies such as EMV and RFID contactless cards, business are expected to upgrade to new secure payment systems. However, attackers will attempt to come up with new strategies against these improved systems and environments.

SISA Information Security

How to Secure Payment Environment

Payment Security Standards – PCI DSS, PA DSS and PCI PIN

Training - Get the teams trained on Payment Security Implementation

Payment Security Risk Assessment

Payment Data Discovery

Effective Segmentation in between Payment data and Non payment data.

SISA Information Security

OS Hardening – • Deploying DB in the same

server • Patch management

• Firewall – securely configuring the FW is more important

• IPS – configure it for dropping the packets

• VAPT • Web App PT • Firewall Rule review

• Encrypting the DB credentials • Storing truncated PAN, instead

of full PAN and CVV2

Process

Application

Server

Network

PCI Security Layered Approach

SISA Information Security

PCI for Protecting Payments SISA Information Security

Thank You! Please feel free to write any questions to dbs@sisainfosec.com

SISA Information Security