Sunday, October 20, 2019

EBA Relaxes Requirements for Strong Authentication

"The European Banking Authority (EBA) has issued a new Opinion that provides the European payments industry with an EU-wide additional 15 months to comply with strong customer authentication (SCA) requirements for online ecommerce transactions."

Since there are banks that are already in compliance, the solution for consumers is to do business only with those banks.  

While there is no international law on this, there is good banking practice that is universal.  All banks have an obligation to "know their customers," and to ensure that "transactions are properly authorized."  Passwords that are vulnerable to fraudulent reuse do not meet these standards of good practice.  

In an era when most customers have e-mail, mobile computers, or both, strong authentication is not sufficiently difficult to implement to justify an extension.  This is an example of "regulatory capture."  The authority is derelict.  It is serving banks rather than customers.  Shame.  

Friday, September 20, 2019

Do not Rely Solely...

I often tell small children that "in the future most of your toys will talk and listen and generally tell the truth; when in doubt ask Dad."

However, this is the age of disinformation, "fake news," and state propaganda.  Our children will confront errors and deliberate lies.  At some level, we all know that Fox, CNN, and MSNBC have agendas, biases, that make them less than totally reliable.  We need to equip our children to recognize and cope.  

I like Wikipedia, I think that it is one of humanity's greatest achievements, in part because it relies for its authority on its users.  Teachers question the authority of Wikipedia: they prefer the Britannica, in part because it relies for its authority on scholars like themselves.  They prefer it even though it is only one-sixth the size of Wikipedia and much more difficult to use.  However every night when I go to bed, I give thanks that Wikipedia is a little better than it was when I got up in the morning while the Britannica is just as bad.  Wikipedia is self correcting.  

The net is that we want our children to think critically, to be skeptical, to be able to separate facts from opinion, what is important from that which is trivial, to prefer primary sources, to prefer neutral sources, PBS and C-SPAN before Fox or MSNBC.  Perhaps the single most important tool that we can teach them is to check multiple sources.  

Security by Obscurity

According to Wikipedia, "Security through obscurity is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."  Labeling the other guy's security strategy as "security by obscurity" is how we disparage it.  

However, looked at another way, all information security is about secrecy, if not obscurity.  What we think of as security can be seen as the collection of mechanisms that we use to reduce the size and number of the secrets that we must keep. 

Encrypting an object reduces the problem of hiding the file to one of hiding only the key.  Access control may reduce the problem of hiding user capabilities and privileges to one of hiding the user password.  

Wednesday, September 18, 2019

Out of Band Confirmation

This morning I sent a gift via PayPal to a family member, one to whom I had never sent one in the past.  The transaction was initiated using the PayPal iOS app.  It included an out of band one time password and was from a device that PayPal recognized.  Almost immediately, I got an e-mail confirming the transaction.  About an hour later, I received an SMS message from PayPal asking me to confirm that I had initiated the transaction.    When the charge hits my little four branch community bank, I will receive another e-mail and another SMS from them.  Incidentally, I also got a "thank you" e-mail from the family member.

If I had used a new device to initiate my transaction, the web instead of the app, or changed my e-mail, cell number, or bank accounts, PayPal would have confirmed those activities.  For changes to my e-mail or cell number in my PayPal profile, PayPal would confirm those changes to the other address and for the address changed to both the new and the old addresses.   So will, for example, American Express, Fidelity, BoA, and Chase.

How much of this is by design, I do not know.  What I do know is that, if my transaction was not properly authorized, PayPal, my bank, and I would have ample opportunity to learn about it on a timely basis.  

Having two or more addresses for our customers, two ways to get a message to a device carried in one's hand, pocket, or purse, makes this control more effective than ever.  The cheap and fast communication provided by the modern public networks makes them so efficient that it could be considered negligent, even reckless, not to use them.  

What continues to concern me is that when I go to fraud conferences, I may be the only one to talk about "out of band confirmations," perhaps the single most powerful fraud detection mechanism that we have.  

Please put this tool in your kit.  Promote it every chance you get.  Ensure that it is included in all your applications.  Confirm all transactions and new or changed user profile data.  Confirm to every address that you have.  Confirm address changes, postal, e-mail, phone numbers, and device identities, to both the old and the new address.

Monday, September 9, 2019

Apple Titanium Card

I have been waiting for the delivery of my Titanium Card to be delivered to write this evaluation.  Read it in the context of my last post.  

The card is delivered via FedEx in a large envelope.  There is a return address but it does not say "Apple."  This resists theft of the card in transit.

Inside the FedEx envelope is a tamper evident 4.5" x 6.25" x 0.25" corrugated cardboard package containing the card.  This protects against tampering with or skimming the card in transit.  

While a signature is not required for delivery, one gets a notification of delivery.  This may narrow the window of opportunity for theft from the doorstep.  

Only after receipt does one see the button in the Wallet App to "activate" the card.  This resists any use of the card prior to receipt by the legitimate owner.  

While the owner's name is on the face of the card, the card number, expiration date, and the CVV are not.  While the number is on the magnetic strip, unlike with all other cards, it is different from the number that one would use at an e-commerce site.  Thus, the only way that one might monetize knowledge of the number would be to use it to counterfeit a card.  

Note that any fraudulent use of the number on the stripe will show up immediately on the owner's iPhone so that the transaction can be reported as fraudulent and the number can be reported as compromised.  Skimming the number and counterfeiting a card for one or two uses is a high hurdle.  

The value on the magnetic stripe, provided for backwards compatibility, on a card which will be used sparingly, is a limited vulnerability.  From a security perspective, consumers should prefer Apple Pay (using iPhone of Apple Watch), EMV, manual entry of the number (from the iPhone Wallet App), and swiping the magnetic stripe in that order.  While the magnetic stripe is more convenient than manual entry, many users may never have to use either.  As point of sale devices are modernized, the requirement for any alternative to contactless or "chip" will decline.  

Finally, in the app, one can disable and enable the card.  Thus one can carry the card while mitigating the risk of fraudulent use should it be lost or stolen.  Since I expect the use of the Titanium card to be sparse, mine remains disabled by default.  Others may choose to leave it enabled by default, disabling it only should it be lost or stolen.

The vulnerability of the number on the magnetic stripe is not limited to the Titanium card; so far it is not possible to get any other credit card without this vulnerability.  On the other hand, the Titanium card does not have the vulnerability of having the primary account number, the expiration date, and the CVV on the face.  Therefore, if one is going to carry a credit of debit card with a number in the clear on the magnetic stripe, the Titanium card is the clear favorite.  

(Incidentally, I convinced myself.  I got the Titanium card, intending to put it in the drawer and never carry it.)

Friday, August 30, 2019

Recommendations on Retail Payment System Security

According to the Nilson Report, Global Credit card and debit card fraud resulted in losses amounting to $21.84 billion during 2015.  Losses have increased every year since 2002.  While the majority of these losses are charged to the card issuers, the cost is passed along to the consumer in the form of interest charges and fees.  (See sources and other statistics at WalletHub.)

Moreover, we have seen the growth of an illegal industry attacking and stealing personally identifiable information, and monetizing that information using credit and debit card account numbers, ATMs, and e-commerce.  In the market place of this industry it is possible to buy active primary account numbers and authenticating data.  The size and complexity of this industry makes it all but impossible to estimate its cost to the legitimate economy.  

Given the number of enterprises collecting, communicating, and retaining this data, some leakage is inevitable.  However, it is the ability to monetize the data that supports the illegal trade and which motivates many of the active attacks.  While we have seen some arrests and convictions in the illegal industry, many of these attacks and the fraudulent use of the data are going unpunished.  

It is the author's assertion that one means of reducing this illegal trade is to reduce the storage and use of primary credit and debit card account numbers.  Specifically we propose the elimination of the primary account numbers on the face of the card, the magnetic stripe, in the transaction, and in storage on merchant sites; all of these uses to be replaced by physical and digital tokens.  In most cases, the Payment Authorization Number (PAN) should be a digital token rather than the primary account number.  We assert that the financial  technology and payment card industries already know how to do this, that there are demonstration projects ongoing, and that much of the necessary infrastructure to do this is already in place.  

The new Apple credit card is an example of a physical token that hides the primary account number.  Contactless EMV cards and mobile wallets are examples of digital tokens at transaction time.  While the current practice is to put the primary account number in the clear, both in text on the face of the card and on a magnetic stripe, this is for purposes of backwards compatibility, is archaic and unnecessary, and, in the light of the problem outlined above, should be eliminated.  

Some merchants have already replaced the primary credit card account number in their customer record with a digital token.  While this may add a little cost it reduces the risk of attacks against their systems and that the account number can be compromised in a breach.  

PayPal, Masterpass, AmEx Express Pay, Apple Pay, and Visa Checkout are all examples of services for authorizing e-commerce payments without the use of the credit or debit card account numbers.  These systems not only guarantee the merchant payment but transfer the cost and risk of authenticating the customer name and address to the service provider.  While the services may marginally increase the transaction cost to the merchant, this is more than offset by the reduction of risk.  These services also reduce the risk to the consumer of the leakage and fraudulent use of his account numbers.  

We recommend the following:

  • The elimination of the magnetic stripe from all newly issued credit or debit cards
  • The use of one-time Payment Authorization Numbers  (PANs) throughout the payment system
  • The replacement of primary account numbers with one-time payment authorization numbers in e-commerce
  • The replacement of primary account numbers with digital tokens in merchant systems storage
  • The replacement of mag-stripe and PIN at ATMs with EMV
  • Preference for digital wallets at point-of-sale and ATMs
  • The elimination of the primary account number in text on the face of cards
  • Prefer EMV cards with biometrics for convenience and security

These recommendations are intended to address the systematic problems in the retail payment system.  They are independent of one another and each can be implemented, in whole or in part, by itself.   However, they do compliment one another and collectively are necessary to the greatest effectiveness.  The first is the most important and the only one for which there are no trials or demonstrations.  Every little bit will help.

We recognize that implementation of these recommendations will take time but it is urgent and should be done within 3-5 years.  While we believe that these recommendations are self-justifying, we recommend that mechanisms like the Payment Card Industry Data Security Standards and California and New York legislation be used to add motivation as necessary

Friday, August 23, 2019

The Budget Fairy

It is a persistent plaint of the security managers that they do not have sufficient budget to do what they think should be done.  One wonders where they think budget comes from.  There is no budget fairy that comes down and confers budget on good little boys and girls. Those managers who have budget all got it the same way; they asked for it.  

Security managers are peculiarly loath to ask for budget for fear they will be told no. (A "no" in the record might look bad but it is an implicit acceptance of any risk that the proposal was intended to reduce.  It should be in the record.) Those who ask for budget get told no a lot. Those who have budget did not take no for an answer. They re-did their proposal or their justification and asked again.  And again.  As many times as necessary to get to yes.

Note that almost anyone in the hierarchy can say no.  Those who have budget, find the executive or manager who can also say yes.  They never accept no for an answer until they are sure that they have proposed to someone who can say yes if she wants to.  Note that while we may sometimes get budget from senior staff, it is usually the line of business executives who control most of the resources and incur losses.  (Senior line of business executives often have "budget" or "plans and controls" staff, who manage budget, understand the process, and know how much discretion the executive has.  These staff can be very helpful.)

Those who have budget are the same managers who are being promoted.  General management likes few things better than managers who will tell them how to spend money profitably.

Security initiatives are usually justified either by a reduction, at least over time, in the cost of security or the cost of losses.  These reductions have the advantage that they fall through to the bottom line as profit.  It is useful to budget for "losses;" while they occur irregularly, they do occur.  At least at the level of the enterprise or business unit, they can be estimated; all budgets are estimates but get more accurate with experience.  Increases in the budget for initiatives can be justified in part by a reduction in the budget for losses.  

Managers often see budget as a restriction on their ability to spend.  Rather they should see it as permission.