Mobile Wallet Not Going To Displace EMV

Innovations in mobile technology have made smartphones our go-to source for nearly all activities from search, to location pinning and sharing, and most recently, payments. According to Forrester Research Inc., mobile payments reached $12.84 billion in 2012 and will grow 601% to $90.05 billion in 2017. Meanwhile analyst firm Gartner reports that mobile payment transaction values will reach $235.4 billion in 2013, a 44 percent increase from 2012 values of $163.1 billion. Assuming that the finals figure for the whole of 2013 will be accurate, this certainly puts mobile payment usage into context.

The explosion of smartphone ownership in the United States continues, reaching nearly 65 percent in 2013 according to Nielson research, and leading many industry experts to predict ‘the death of the card.’ This prediction often brings skepticism as to the value of migration to the EMV chip card standard. Supporting the notion that the card will not yet die, comScore reported that there were one billion credit and debit cards in circulation in the United States in 2012 – approximately three cards for every person. However, hype around digital wallet usage and uptake belies the reality – mobile payments are very much an emerging and fragmented technology, which is not evolving at anywhere near the rate required to invalidate EMV.

With the digital wallet skepticism and consumer attachment to cards lies the fact that credit cards are a somewhat trusted and familiar method of payment, and despite truncated adoption times for new technology, consumers are generally change averse. This reluctance is compounded by the fragmented and confusing mobile payment landscape. With underlying network operators, financial institutions, new generation payment providers such as PayPal and Square, and now big players such as Apple, all competing for a piece of the ‘mobile payments pie’, we are facing a huge ecosystem of divorced, incompatible, media-hyped technologies. In addition, network operators and handset manufacturers have been fighting for a larger percentage of the transaction.

The benefits of NFC for the card issuers are clear – reduced costs in both distributing physical cards, and customer support, particularly around ‘lost or stolen’ issues due to the capacity for immediate revocation. For the consumer, it’s not so clear where the efficiencies and appeal lie over a conventional wallet or cards as it’s typically security and ease of use as top concerns when thinking about payments. As with many innovations, it could be argued that we are looking at a technology in search of a use case.

Retailers cannot afford to delay their migration to EMV for fear that the technology will be redundant in the face of mobile payment uptake. As mPOS becomes much more mature, retailers need to take a serious look into solutions that provide a practical way forward rather than a theoretical one. For most retailers, cost is often a consideration which the average being around 2.7% per transaction, according to Ovum.  However, some of the short-term solutions aren’t the best ones and might not be able to scale or provide the secure infrastructure for larger big box retailers.

Another argument is that the SIM or a Secure Element within the phone will bring equal security benefits to the EMV Chip in the physical card. Although this is true, the mobile wallet trend is in its extreme infancy. Card usage is certainly changing, with the advent of mPOS (mobile-point-of sale) technology leading to card acceptance possible in a diverse range of new environments. However, rather than being a battle between mobile and EMV, the likelihood is that we are moving towards a future where they will sit alongside each other. Consumer choice is a powerful master, and will lead to the development of point-of-sale terminals that will accept contact and contactless EMV cards as well as NFC mobile payments.

Consumer trust is a major driver when it comes to innovation in payments, which in turn hinges on security. As the United States continues its move to EMV, it is not only taking a crucial step towards reducing payment fraud, but laying the foundations for a new era in payment technology.

We’re heading for perpetual change in the mobile payments landscape that we’ll see throughout our lifetimes. Technology is moving at such a rapid pace that there’ll always be innovation and that trend will continue upward. At the moment, it’s important to keep in mind that, although the technology is moving rapidly, many solutions fundamentally rely on a credit and debit card transactions. What we’ll continue to see are more efficient ways of moving money from an individual account into a merchant’s account. At the end of day, it’s about simplicity and cost.

Nowadays, when you think about a rapid transaction, cash is still probably the fastest way to pay unless you’re in a transportation environment. When you’re paying for a newspaper, coffee or dinner, cash is simple and easy. The industry as a whole will continue to look for ways to make other payment methods much faster and it’s exciting to see what’s next to challenge the technology landscape and ensure the solutions that are implemented can stand the test of time and adjust to our constantly changing landscape.

Target Hack: Ensuring It Doesn’t Happen Again

We have all heard about the recent Target breach, and read about the many retail breaches of the past, and wondered why they keep happening. While we don’t yet know what happened, maybe this article will help illustrate the problem and a solution.

Retail systems generally involve “hub and spoke” architectures. The spokes are networked systems such as Point of Sale (POS), and the hub is a data collection and processing facility. The POS calculates cash and credit-card transactions and negotiates approvals through a software exchange of card data with financial “clearing” systems. The transactions are encrypted at the POS and the key is a combination of the PIN (cash) or CVV (credit) + a certain number and configuration of the card numbers, and a private key provided by the financial service via a Hardware Service Module (HSM) that negotiates the communications between the POS and the clearing authority. Once authorization for a purchase is made, the POS data is transported (again in an encrypted form) to the retailer’s data collection and processing facility.  

The data that is transported to the collection and processing facility is usually encrypted in transit, and contains separate elements of the card number and the encrypted PIN or CVV. That data is then stored for various reasons, including data mining for marketing statistics purposes (sometimes to sell to other companies), as well as for secondary clearing and settlement with banks or their interval financial processing companies. Unfortunately that data is often stored in several disparate locations according to its utility to the retailer, and is often not encrypted where it is stored (though the PIN and/or CVV are usually encrypted).

Payment card handling standards and regulations currently only require the data to be encrypted in transit—not where it is stored. This is fundamentally the reason that the most notorious data breaches have had such large scale impacts—the attackers went after the data stores rather than the POS. The volumes of unencrypted data in the stores was far more lucrative and easier to compile. How attackers get to that data, though, involves malware and APT activities.

There are three types of malware usually involved in retail data breaches:

  1. Phishing emails with malicious droppers/downloaders to infect systems with backdoor trojans, enabling remote access and exploitation of networked corporate systems
  2. “PUPs” (potentially unwanted programs)—which are usually administrative tools, sometimes legitimate, that allow password hash collection or cracking, Active Directory or LDAP browsing, SQL server interaction, RAR/ZIP packaging, Simple Mail transport, Proxy service configuration, and reconnaissance tools such as FPORT—to assist the attackers in their exploits of the networked systems by enumerating systems by type (POS, DB, AD, etc.), infecting those systems according to need, and establishing data harvesting and exfiltration methods.
  3. Harvesters that are custom utilities programmed to perform needed actions to harvest card data (RAM Scrapers such as DexterPOS malware), PIN/CVVs (Man-in-the-Middle HSM collector proxies), or bulk data (SQL miners that integrate network, database, and administrative functions), which provide persistent access, automated harvesting, and programmed exfiltration of data.

The malware described above provide compromise, exploitation, and persistent access to retail systems. This is the pattern of activities common to “advanced (or targeted) persistent threats” as it relates to retail environments. It should be noted that sometimes web services compromises take the place of phishing emails, and corporate systems usually have all the needed tools to facilitate what PUPs offer attackers. Sometimes attackers can simply make use of internet-accessible “administrative backdoors” such as RDP, VNC, or SSH accesses that are unfortunately common network vulnerabilities (in all corporate systems). Our investigations in retail data breaches has consistently identified these types of malware tools, tactics and procedures.

The reason that these breaches have occurred is that the industry approach to identifying malware is broken. Malware is part of the toolkit employed by APT actors. It facilitates the activities and accordingly is a critical indicator of attacks.

Antivirus, White/Blacklist, in-flight recording, virtual machine reverse engineering, etc., are currently the tools available to retailers to assist in their defenses against constant APT attacks—but they don’t work. There are fundamentally two reasons: 1) they are after the fact, relying upon something someone else has seen (A/V and W/B lists) or resulting from analysis (IFR/VM); and 2) they are too “heavy” to serve the needs of the POS environment, as they require frequent signature updates or a human interaction.

Antivirus and White/Black list success depends upon either a signature or a heuristic match to an index of known patterns—from past submissions. Accordingly, the phishing emails that commonly employ Zero days or polymorphism to obfuscate recognizable signatures cannot be detected by Antivirus. Most of today’s malware also employs anti-VM or RE analytics tools, making them similarly undetectable by RE/VM. IFR and related Incident Responder tools are by their nature not defensive—they are reactive or investigative.

Secondly, POS systems are stripped down and often out-of-date operating systems (usually Windows XP or NT, sometimes even DOS). They have limited RAM and almost no available storage; so voluminous signature files that require frequent updates simply cannot be supported by POS.

That leaves retail environments with the need for a solution that will recognize malware based upon its properties, in a lightweight and fast functional format. Cylance Infinity platform has that capability. Using an incredibly lightweight and extremely fast mathematical algorithm for determining maliciousness, Infinity technology can detect advanced and standard malware before the world has even seen it: truly predictive. This capability is what retail environments desperately need; the information stored in retail contains consumer identity and financial data that has real economic value and corresponding impact. Identifying and preventing constantly evolving (and evasive) compromise malware, man-in-the-middle data harvesters, and data exfiltrators simply cannot be overlooked.

The risks and threats described above are not unique to retail; they can be applied in any teller-related environment including financial services, insurance, healthcare, etc. However, retail has the most risk of economic and financial loss affecting the market. Several things need to change to help retail limit these risks:

  1. Payment card industry standards and regulations need to enforce a requirement to encrypt data wherever it is stored in retail or associated systems. There will still be some risk of RAM scrapers collecting transactional data, but at least the huge volumes of data that have been collected in past events from accessible databases will be prevented in future attacks (which will undoubtedly continue to occur).
  2. Retail must be provided with tools that recognize and prevent malware. Those tools must be suited to their needs, though. You can’t teach an old dog new tricks, but you can put a collar on it. Cylance Infinity tools (V and soon to be released PROTECT) are examples of the capabilities to address retail cyber threats. By applying math rather than signatures, malware can be identified even if it has never been seen before.
  3. This is certainly more long term—the entire US retailing/credit/banking system must consider moving to chip and PIN card system that the European and world markets have largely moved to. Chip and PIN systems prevent these types of man-in-the-middle attacks because it encrypts the data secured from the card all the way through the payment processing backend. While nothing is unbreakable, it’s a stronger solution that needs to be considered.

Retail (and associated payment card) breaches will continue to be pursued by attackers; they are simply too lucrative to ignore. In today’s retail system’s architecture, they are also too easy to accomplish.

Mobile Chip and Pin – Just $50 from JUSP

mobile-chip-and-pin-juspAn Italian company, JUSP, has released a mobile payment device that supports chip and pin – the technology for credit card processing used in Europe.   JUSP, which is short for JUSt Pay.

Chip and Pin technology works by reading a chip on the credit card (a little harder to duplicate than a magnetic stripe – and therefore considered more secure), and then the customer will enter her pin number for verification.

About the device:

Jusp is a card reader that can connect through the audio jack  to any smart device. Based on European standards concerning electronic money transactions, it works by reading the chips on cards. The application, which can be downloaded free of charge, receives data and manages the transaction process. The device is square in shape, measuring about 5cm per side, and is very light.

Transaction fees:

The JUSP website specifies a 2.5% fee.

Cards accepted:

Jusp accepts all major credit cards: Visa, Mastercard, American Express, the relating prepaid cards, the international V-Pay debit circuits, Visa Electron, Maestro/Cirrus, and the Italian Pagobancomat debit circuit.

About JUSP

JUSP is an emerging mPOS company with a proprietary all-in-one chip-and-pin card reader, which connects directly to smartphone and tablet audio jacks. The company is gaining momentum on many fronts. It has secured a $6 million equity round with two Italian venture capitalist firms, making the equity one of the biggest rounds in Italy in 2013. JUSP also has been named a finalist in the 2013 Bully Awards for its demonstrated excellence in innovation and growth potential. The growing start-up already has over 400 beta customers in Italy and is rapidly expanding internationally. JUSP has an international business office in Singapore and has established a commercial division focused on corporate clients.