Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/6/2014
10:22 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Debit Or Credit' Becomes A Point-Of-Fail

Target's massive breach of payment cards and other retailer security incidents have stirred debate on alternative payment options at the register

The only way to avoid falling prey to cybercriminals trolling for your payment card information these days is to throw down cold hard cash or swipe a prepaid plastic cash card at the register. But carrying around wads of cash is obviously neither safe nor convenient, and buying prepaid cards has transaction and convenience challenges of its own.

Target's record-breaking data breach revealed in December was an eye-opener for major retailers and consumers as lawmakers and retail industry executives are now rethinking how to better secure card payment systems and processes. Alternative options to today's vulnerable magnetic striped plastic – namely chip-and-PIN payment cards -- also are getting more attention than ever in the U.S. as the reality sets in on the potentially billion-dollar fines that Target ultimately could face. It's also very likely that there's more pain to come, with other retailers that have suffered the same fate and not yet come forward. Neiman Marcus and Michael's so far are the only major vendors that have reported breaches in the wake of Target's announcement.

"Banks have gone out of their way to make [consumers] feel comfortable. They're just charging the retailers for this, but it's going to hurt the retail industry," says Avivah Litan, distinguished analyst with Gartner. "Maybe banks will now move on chip-and-PIN" sooner, she says.

Retailers have been in the bull's eye of attackers for some time now. The retail industry was the No. 1 target of data breaches in 2012, according to Trustwave's data breach investigations report, accounting for 45 percent of its breach investigations that year. Payment card information was the top type of data attackers were after in the breaches.

But the past few months of new twists to Target's breach trickling out, as well as worries of another big retail shoe dropping next, may help push electronic payment technology into a new more secure generation. "The real technologies we need don't exist yet," says Adam Kujawa, malware intelligence manager for Malwarebytes. Kujawa says, ideally, smart cards that can automatically change credit card account numbers, for example, would keep accounts more secure and eliminate the need for expensive card replacements like Target has had to do. So in the meantime: debit, credit, or paper check at the register?

Security experts maintain that the debit card is most vulnerable because it's directly tied to the customer's bank account. Debit-card payment has become wildly popular for convenience reasons, but it's also very convenient for a cybercriminal who scrapes a debit card account number and PIN and gets a door into the bank account.

But because banks typically cover losses to a consumer's account, the reality of that type of breach often goes unnoticed by the victim, who merely gets his or her account credited for any fraudulent charges or withdrawals, and is then issued a brand-new card.

Some consumers kick it old school and write paper checks rather than risk their debit card account getting pilfered. But paper checks not only are less convenient, but they also come with security weaknesses of their own. The check may not be on the hit list of an Eastern European cybercrime ring, but you have to rely on the trust of the cashier who handles the check, as well as the retailer when it stores and ultimately presents it to the bank for payment.

"With checks, the most obvious thing is the account number is unencrypted on the check," says BC Krishna, president and CEO of MineralTree, a provider of secure business payment tools. The customer's bank account and routing numbers are printed on a check: "That opens a massive amount of opportunity" for a nefarious merchant to pilfer that information, he says.

While check fraud may sound like an antiquated term in today's rampant electronic payment world, it's still common today. According to the American Bankers Association's 2013 account fraud survey, 54 percent of fraud loss came from debit card fraud and 37 percent from check fraud. Online banking and electronic transfer fraud accounted for 9 percent, the report says.

"I wish I could say this is safer than that. The reality is both [debit card and paper check] have vulnerabilities, and fraudsters are constantly exploiting those vulnerabilities in really creative ways," Krishna says.

There's always the credit card, which continues to be a major target of cybercriminal gangs, but with little to no risk to the consumer of financial liability. "One of the reasons to use credit cards instead of debit cards is that a debit card hits your bank account and a credit card hits your credit line as opposed to your cash. So you have a little time to go after the bad guys," too, Krishna says.

Prepaid cash cards from Visa, meanwhile, offer privacy and the convenience of cash, but can be tricky to manage.

[Retailers have been infected with a family of malware that stole payment card and personal information from some 50,000 customers. See Point-Of-Sale System Attack Campaign Hits More Than 40 Retailers.]

Next-Generation Payment Options Chip-and-PIN technology is likely the next generation of payment cards: It's already well-established in Europe, but the U.S. has been slow to adopt it. These cards contain an embedded microchip, with a PIN code as the authentication method rather than the magnetic strip and signature used in most payment cards in the U.S. today.

The U.S. retail industry has an October 2015 deadline for adopting chip-and-PIN cards, also called Europay-Mastercard-Visa (EMV). But the standard doesn't require the use of PINs to protect data on the cards, which some experts say basically defeats the purpose of the stronger card technology.

Another option is to get rid of the card altogether, Malwarebytes' Kujawa says. "Instead, banks could simply configure thumbprints or something else physical of customers to act as their own 'account number,'" he says.

Authentication would require three factors: something you are, possibly a thumbprint or other identification; something you know, such as a static passcode; and something you have, such as a one-time passcode that syncs with the payment server at the retailer or bank, he says.

"With all three of these securities put in place, the only way I could see an attacker compromising the purchase is if they hijacked the encrypted connection somehow and forced the POS system to authenticate with a rogue payment server, sending the money to the attacker instead of the organization," Kujawa says. "Though there would have to be a serious vulnerability in the communication systems for that to happen."

But these are still fairly futuristic options, Kujawa says. "This is, of course, more of the direction I hope to see the future of banking, for the time being I think for the truly paranoid, use prepaid cards," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon5511426393
50%
50%
anon5511426393,
User Rank: Apprentice
2/13/2014 | 10:38:39 PM
re: 'Debit Or Credit' Becomes A Point-Of-Fail
pre-paid cash? so you loose all your money when those get hacked, with absolutely no chance of anyone refunding it. mad idea.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14629
PUBLISHED: 2020-01-17
Improper permissions in Intel(R) DAAL before version 2020 Gold may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2019-17125
PUBLISHED: 2020-01-17
A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.
CVE-2019-17127
PUBLISHED: 2020-01-17
A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation.
CVE-2020-3940
PUBLISHED: 2020-01-17
VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability.
CVE-2020-6862
PUBLISHED: 2020-01-17
V6.0.10P2T2 and V6.0.10P2T5 of F6x2W product are impacted by Information leak vulnerability. Unauthorized users could log in directly to obtain page information without entering a verification code.