Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010...
Transcript of Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010...
![Page 1: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/1.jpg)
Online Payment Methods
Dr Steven J Murdoch
1
Computer Laboratory
![Page 2: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/2.jpg)
Visa and MasterCard
• What do they do?
• Some important tasks for online (and offline) payments:
• Run communication network
• Set standards
• Manage disputes between members
• Set contractual terms between members
2
![Page 3: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/3.jpg)
Terminology
3
![Page 4: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/4.jpg)
Terminology
4
![Page 5: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/5.jpg)
Terminology
5
![Page 6: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/6.jpg)
Loss
es (£
m)
Year
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9
050
100
150
200
250
300
●
●
●
●
●
●
●●
●
●
●
● ●
●
●
●
●
●● ●
●
●
●
● ●●
●●
●●
●● ● ●
●
● ●
●
●●
●
●
●● ●
● ● ● ● ●●
●
●
●
●●
●
●● ●
●●
● ●
●
● ●● ●
●
● ●●
● ●
Card−not−present
CounterfeitLost and stolen
ID theft
Mail non−receipt
Online banking
Cheque fraud
Chip & PIN deployment period
Phone banking
How well does the system work?
6
![Page 7: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/7.jpg)
The EMV protocol
7
![Page 8: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/8.jpg)
Counterfeit fraud
• Producing fake (typically magnetic stripe card) from harvested details
8
![Page 9: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/9.jpg)
Liability engineering
9
Deployment of Chip and PIN• Chip and PIN was expensive for both all parties• Deployment was encouraged through “liability engineering”
Terminal
Card magstrip chip chip & PIN
magstrip Issuer Issuer Issuerchip Acquirer Issuer Issuerchip & PIN Acquirer Acquirer Issuer
• Liability pushed down the chain: acquirer ! merchant;issuer ! customer
• Led to rapid deployment, but this caused some problems• Still took 10 years
![Page 10: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/10.jpg)
The no-PIN attack
10
![Page 11: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/11.jpg)
The EMV protocol
11
![Page 12: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/12.jpg)
The no-PIN attack protocol
12
![Page 13: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/13.jpg)
Online banking authentication
• Simple scam is to “phish” for account details
• Ask for username and password
• Low success rate, but just a few customers is enough to make investment worthwhile
• Actually moving money out is the high-risk part of the scam
• This is allocated to money-mules recruited supposedly to pay foreign staff
• Often the money mule will lose money and may be prosecuted for fraud
13
![Page 14: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/14.jpg)
Hardening passwords
14
![Page 15: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/15.jpg)
Replacing passwords (iTAN)
15
![Page 16: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/16.jpg)
Man in the Browser
16
![Page 17: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/17.jpg)
MitB protection
17
![Page 18: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/18.jpg)
Transaction authentication
18
![Page 19: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/19.jpg)
Summary so far
• Counterfeit fraud
• Magnetic stripe fallback facilitated by Chip and PIN
• Lost and stolen/Mail-non-receipt
• no-PIN attack can bypass PIN protection
• Cheque fraud and ID theft
• Primarily not a technology problem
• Online banking
• Transaction authentication likely the way to move
19
![Page 20: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/20.jpg)
Combining EMV with online banking
20
![Page 21: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/21.jpg)
Combining EMV attacks with online banking
21
![Page 22: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/22.jpg)
Card not present transactions
• Basic version: same as old card-present transaction
• Card number and expiry date sent back
• Can also send back CVV2 off back of card
• Can also perform address verification
• Every extra step will lose customers at check-out stage
• Some vendors will skip security measures
• Amazon don’t even perform CVV2 checks
• Leaves non-Amazon users at risk of fraud (though will eventually be refunded)
22
![Page 23: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/23.jpg)
Acquirer interface for web based merchants
• Small web merchants will not deal directly with acquirer
• To allow international payments, many acquirers likely needed
• Merchants might like to avoid access to customer details as much as possible to reduce liability
• Examples of payment processors include
• Sage Pay
• Worldpay
• Paypal slightly different
• Hoped people would leave money in account; actually mostly ended up as payment processor
23
![Page 24: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/24.jpg)
Example: Sage Pay (Form)
24
![Page 25: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/25.jpg)
Example: Sage Pay (Server)
25
![Page 26: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/26.jpg)
Example: Sage Pay (Direct)
26
![Page 27: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/27.jpg)
3-D Secure (Verified by Visa/MasterCard SecureCode)
27
Visa
![Page 28: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/28.jpg)
3-D Secure (Verified by Visa/MasterCard SecureCode)
28
American Express
![Page 29: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/29.jpg)
3D secure phishing vulnerability
29
![Page 30: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/30.jpg)
SOFORT Überweisung
30
![Page 31: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/31.jpg)
Mobile payments
• May just be interface to online banking website
• mPESA and similar use mobile SIM as root of trust (serves underbanked)
• Barclays Pingit based around Direct Debit
31
![Page 32: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebec2f64986bc7b56133c57/html5/thumbnails/32.jpg)
Summary and conclusions
• For card-present transactions, Chip and PIN was supposed to help
• Reality was more complex and fraud went up
• Card fraud is now dominated by card-not-present transactions
• Merchant pays cost, but extra security loses customer conversions
• For small merchants, much of the work is delegated to payment processor
• Online payment systems typically run on previous rails
• Credit/debit card (optionally with 3D Secure)
• Online banking
• Direct debit
32