• Payment Security Vulnerabilities: Change is Everywhere

    It has always been understood that change is inevitable.  Many clichés surround the concept of change, including being changed for good, and change that you cannot stop.  In the last two years alone, just about everything we touch has changed dramatically.  The entire model of how we work, socialize, and behave as consumers has changed.  We once went to an office every day; now, we work primarily at home.  We once watched movies on DVDs; now, we stream our entertainment on demand.

    Change opens vulnerability

    We have also changed the way that we pay for goods and services and we are now offered alternatives beyond using our credit cards, such as wallets and instant payments in many of our transactions.  Unfortunately, this has also presented opportunities for criminals to capitalize on these shifting behaviors, and digital transformation has made this a more attractive target than ever.  Just as we can work remotely, so can cybercriminals.  According to one report, 18 million Americans were defrauded through scams involving digital wallets and person-to-person payment apps in 2020.

    Whilst there’s no doubt alternative payment methods are attractive, we need to look to the credit card ecosystem for lessons learnt and best practice, especially relating to fraud and security. The credit card system as we know it, and its underlying security, has evolved over six decades, making it an arguably safe payment method. All of the mitigations that protect the card payment process were developed over time, but perhaps our haste to embrace the change to new payment methods has occurred with a lack of proper forethought. Have we actually attached the same level of trust to alternative payments because we have grown accustomed to the security afforded to credit cards?

    What has been done?

    Some of the safeguards used with credit cards, such as standards for handling account data, point-to-point encryption mechanisms, PIN verification, replay attack prevention, and Host Card Emulation, are all helpful and have resulted in a decline in physical payment card fraud. However, most payments are now being transacted remotely, so these safeguards must be applied to the new payment methods.

    Alternative payment methods are typically tied to a bank account and a real-time payment network to efficiently and rapidly move money from person-to-person, or person-to-merchant. The problems that remain unaddressed to date include loose and nascent regulations, constant changes that confuse consumers, and the rush to market to release new applications.  The niche that the criminals have discovered is that the speed of the real-time payment process allows the money to be extracted and moved along multiple payment destinations before the crime is detected, making it difficult to retrieve the fraudulent transaction.  In a more horrifying realization for the victim, the bank is often under no obligation to protect the transaction since the payment was fully “authorized” by the consumer.

    Moving Forward

    Just as the fraudster lag is decreasing, the security lag is increasing – in other words, the criminals are outpacing the security advancements.  Similar to the traditional problems of the Software Development Lifecycle (SDLC), security is not being introduced early enough in the development of these payment applications.

    There are several critical ways to move forward in this new payment environment:

    • Encryption – The introduction of encryption much earlier in the data capture process, all the way through until it is captured in the database.  This would limit any unintentional data exposure.
    • Tokenization – while we are all familiar with tokenizing credit card data, this needs to be extended to the instant payment environment.  Tokenization could introduce factors such as one-time use, merchant segmentation, and amount restrictions.
    • Provisioning – securing the provisioning channels would allow the deployment of limited use credentials, similar to mobile payment systems that Host Card Emulation(HCE) for contactless mobile payments.  This would also protect the data if the consumer’s device becomes compromised.

    A key to secure provisioning is to also secure the backend processing.  This is best accomplished using a Hardware Security Module (HSM). An HSM balances the lack of device security with strengthened backend security.  This is the best way to manage the security keys from inception to destruction, as well as the establishment of secure channels.

    An HSM removes the responsibility of key management from an individual, enabling people to work unencumbered by old key management processes.  It also facilitates compliance, audit tasks, and procedures. Most importantly, an HSM performs cryptography at scale, is tamper-resistant, and protects keys and algorithms.

    Change may be inevitable, but allowing your clients to become victims of change is not.  Learn more about how Thales can help your organization achieve a trusted payment environment.

SafePloy & Thales' Customers