Adoption of EMV chip secures transactions not data
Many merchants have adopted the EMV chip technology for point of sale purchases, but now criminals are taking advantage of the ease with which they can commit digital fraud. The increase in cybercrime means that thieves are accessing the environment, committing card not present (CNP) fraud and stealing data.
[ ALSO ON CSO: Why have most merchants missed the EMV deadline ]
The European Central Bank released its fourth report on card fraud in July 2015. The report concluded, “CNP fraud went up by 21%, accounting for 66% of all fraud losses on cards.” While data on total CNP transaction is only partially available, the report said there has been a significant growth in cybercrime.
“As further growth in CNP transactions can be expected, as well as a potential migration of fraud to this environment owing to higher security measures in the card-present environment, there is a strong case for the swift adoption of more effective security measures to protect this type of transaction,” the report said.
While storefront retailers adjust to learning the new EMV chip systems, which allow for more secure transactions at point of sale, “Most security professionals and IT practitioners — even those who work for merchants — are less conversant with the payment ecosystem and how data flows,” said a Securosis report released in September 2015.
“Further, it is not appropriate to focus purely on chips in cards because security comes into play many other places in the payment ecosystem,” the report noted. Data is still vulnerable because criminals continue to find entry points into the environment through point of sale systems and other weak links.
EMV and other new payment technologies at point of sale make it more difficult for criminals to commit credit card fraud by copying a magnetic strip. Instead, criminals are targeting digital commerce and online data. “EMV is often misunderstood in terms of what it does, which creates security vulnerabilities,” said George Rice, senior director of payments, HPE Security.
George Rice, senior director of payments, HPE Security
“Data being stolen is not limited to payment data. All data sets need to be protected. All of this are data that criminals can monetize in one way or another. If they are able to infiltrate the security, they can extract data into their own possession,” Rice said.
With these new payment technologies comes a misunderstanding of the information they secure. “What EMV doesn’t do is protect the data in its transit point up to the bank. Data is not protected as transmitted. EMV is not doing anything to prevent the theft of card data in transit to the bank,” Rice said.
The threat landscape, then, shifts from point of sale to the payment life cycle and the applications merchants run in their online environments. Many criminals use malware, spear phishing, and social engineering to steal employee identities and gain access to the environment.
The security concern is not limited to fraudulent credit card use but extends to the critical data the company collects as well. As more merchants collect and store data to personalize the customer experience, that data becomes more valuable and vulnerable.
Nir Polak, CEO and co-founder of Exabeam, said “Hackers are like water. They will find the crack and go through it. There is not a place on your network that is not vulnerable.” The holiday season impacts the vulnerability of the enterprise because many security teams are stretched too thin, but the threats exist year round.
“Hackers are breaching the networks of retailers and e-commerce brands using stolen employee credentials,” Polak said. “We have uncovered hacker using valid credentials to log on to a self-checkout POS system of a major retailer and make a connection with 1,700 POS systems.”
One problem is, there are still legacy systems that must see the card in the clear. Polak said, “Companies need to put an open door somewhere to see the credit card, for charge backs as an example.” Some criminals even go after the credit card processors.
Though EMV chip technology solves someone putting malicious code on the point of sale itself, “The credit card number still has a life cycle when it leaves the point of sale,” Polak said.
Throughout the payment life cycle, there are several places for criminals to find data, whether it’s printing coupons at point of sale or handling charge backs. “There are many situations where the retailer needs to have access to the full credit card number to conduct disputes and provide refunds,” Polak said.
Polak said, “There may be some situations where a token may suffice to handle disputes and refunds, but that really depends on the credit card processing company and retailer relationship as well as the tokenization technology in place.”
It’s a lot easier to make fraudulent charges online because users need to enter a full 16-digit credit card number. There is no encryption around saving that data.
Security professionals need to be able to detect threats, and Travis Smith, senior security research engineer at Tripwire, said there are a lot of variants of malware that steal data out of memory.
Hardening the environment for online merchants and looking for critical system files that are being altered are two ways that enterprises can work to mitigate threats and minimize risk.
Because encryption is the best and easiest way to create smaller segments of what hackers can steal, Smith said, “The number one step for security with online merchants is encryption of everything from data at rest in the database to data in transit.”
Jamil Farshchi, Home Depot's CISO, said, “We’ve seen it happen because adversaries always look for the weakest link that will generate the most reward at the least risk.”
Many retailers are still in the process of adopting the EMV chip and signature, despite the October mandate for implementation. As was the case in Europe and Canada, merchants anticipate a decline in card present theft with a significant increase in CNP fraud.
“Their sensitive data on or via the websites are going to be at much greater risk,” Farshchi said.
Understanding where sensitive data lies allows enterprises to understand what protection tools they need to secure all of their applications. “Doing statistical analysis to actually do code reviews and driving a strong remediation process and communicating with development teams,” are key steps in strengthening online security, Farshchi said.
Depending on the applications running in the environment, having the ability to go through and do any remediation and testing can be difficult to impossible. There are, however, a variety of things security professionals can do to protect their data.
What’s most important, said Farshchi, “Is to provide development teams with the tools that don’t over encumber them in a way that prevents them from being able to release on time.”
Farshchi also recommended, “Leverage data sets to be able to monitor, use fraud prevention tools, and build out a seamless process for how applications are developed from the beginning to make sure they address security up front before it’s released.”
Unless a business looks at security holistically, they will end up with gaps, said Rice, and criminals will always find the gaps.