Monday, 19 October 2009

TalkTalk’s WiFi Hacking No No!

Last week Internet Service Provider (ISP) TalkTalk pulled a hacking publicity stunt, which they aimed to demonstrate why they should be absolved of all responsibility for the portion of their customers who illegally file shared pirated material. TalkTalk visited a street in North London, and hacked into poorly secured residential wireless networks. Accessing insecurely configured residential WiFi is old news and is illegal, TalkTalk’s point in doing this was to show that anyone could be using residential wireless access points for file sharing illegal material, again nothing new in that either.

However the double standards here, is the prime reason why the majority of home wireless networks in the UK aren’t secured to a sufficient degree in the first place, is because ISPs have been providing their customers with wireless access points (routers) in an insecure fashion for years.

As far back as 2001 WiFi WEP security has been known to be broken, however in 2007 when I assessed new home Wifi Router provision by ISPs in the UK, I found the majority of ISPs were still providing home Wireless Access Points with WEP security by default. Of course the vast majority of their customers aren’t savvy enough to properly secure their home Wi-Fi with WPA2 encryption, in fact most customers when asked tended to trust their ISP to provide them with an appropriately secure home WiFi network.

Any school boy with a “Facebook” level of computer knowledge can break into a WEP protected WiFi home networks in just minutes. WEP is not encryption, and it should never be referred to as “Secure WiFi” as some ISP’s had been describing it in recent years. TalkTalk tended to not provide their customer with Wireless networking, however this led to many of their customers to go out and buy their own wireless access point as a result, many of which haven't properly secure their WiFi or even use worst, deployed it without any security in place at all . Interesting how TalkTalk charge £99 to configure their customer’s WiFi Router to WPA2, in my view they should be doing this for free, as TalkTalk’s competitors have moved to providing their customers with WiFi networks with WPA2 enabled by default for zero cost.

I think TalkTalk should face up to their responsibilities as an ISP, and stop TalkTalk customerswho share illegal content, which isn’t always pirated movies and computer games, but can be the more unsavourily stuff on the Internet. I don’t think it's right for TalkTalk to go around hacking real world environments which are already well known to be vulnerable for self publicity, even with the resident’s permission. I think the ethics of this is highly questionable because TalkTalk’s message wasn’t about advising citizens and their customers on how to secure their home WiFi networks, but about TalkTalk not wanting to spend the money in policing their customer’s internet activity.

Finally illegal file sharing is never in the interest of TalkTalk’s honest and legitimate customers, who are likely to suffer slower internet speeds as a result of the illegal internet bandwidth hogging by the few.

Thursday, 8 October 2009

How the Payment Card Industry could stop Card Fraud

If the payment card industry, the card schemes such as Visa and MasterCard, and merchants really desired to dramatically reduce payment card fraud, it can be simply done.
Today, by far the biggest problem with payment card security (credit and debit cards), is the little black magnetic stripe on the back. This magnetic stripe holds the full card details unprotected. This information is referred to as “track 2 data” within the payment card industry. The problem is this magnetic stripe track 2 data can be easily read with a "cheap to buy" magnetic stripe reader (see picture above), allowing fraudsters to “skim” card details quickly in a variety of ways, for instance placing covert magnetic stripe readers on ATMs (see picture below).
Track 2 data is also held in plain text on some payment devices and payment processing applications which store this information. Once track 2 data falls into the hands of card fraudsters, they simply create clone cards by replicating the magnetic stripe, and then use the cloned card in the same way as the original card holder uses the original card, of course only at those places which accept magnetic stripe swiping. Making card payment using the magnetic stripe reading is increasingly rare in Europe, however elsewhere in the world it is still used, and sometimes even without a signature.

Using a magnetic stripe to store card data on our plastic is an out dated technology, in Europe where "Chip and Pin" has now been widely adopted, using a chip to read the card data instead of the magnetic stripe increases security. The chip is difficult to clone and holds card information encrypted, so making it difficult for the bad guys to “swipe skim” the card data, and it is extremely difficult to create a clone working "chip" on a card. The issue is there are places like the United States where they haven’t adopted the securer chip technology and are intent on continuing to use the insecure magnetic stripe for the foreseeable future, meaning all payment cards around the world still need to keep the magnetic stripe on the back to be used globally accepted. As a result UK payment cards which still have their magnetic stripe track 2 data stolen, are still being cloned but used in places like the Thailand, where card magnetic stripe swiping is still the way to pay.

One of the arguments for the non-full adoption of chip technology in places like the US, is merchants don’t want to front the cost of replacing their card readers, well that doesn’t wash with me, most merchants in Europe managed to adopt chip reading technology fairly rapidly without any major hassles, and in general merchants continue to replace their card readers over a period of time anyway. So I don’t see why a “phased in” approach wouldn’t be acceptable on a world wide basis. During my recent trips to the United States I have encountered a general shift in the type of payment card readers to touch screen card devices, but they are still using magnetic stripe swiping to read the card. But this demonstrates there is always a continued evolution of card reading devices being deployed by merchants.
I don't want to even muddy the water by talking about the extra security using a PIN with the chip to provide two factor authentication at the cash register, that’s great for increasing security too, but my main point is about using a chip to read the card instead of a magnetic stripe.
I believe removing the magnetic stripe from all payment cards and card processing terminals would result in a drastic reduction in card fraud, which specifically targets “card holder present” transactions. A “card holder present” transaction is where the card holder and payment card are both physically present when making payment, for instance making a payment at the cash register.

What about card holder not present transactions? These transactions are where it is impossible to tell whether the cardholder is present and in actual possession of card when making a payment, for instance an internet transaction or a telephone payments, where it is impossible for the merchant or payment processor to know whether the buyer is typing his card details in from the actual card or it's a frauder using skimmed card information. Sure the 3 digit security code helps with this, but the bad guys have ways around this.

In the UK following the introduction of Chip and Pin in 2005, there was a dramatic shift in the types of payment card fraud, in that the card fraud dramatically swung to “card holder not present” fraud, mainly internet transactions opposed to fraud at the cash register, mainly because cloning cards and their magnetic stripe became a waste of time for the fraudsters, as merchants moved to using chip only payment transaction processing.

There is an answer to securing “card holder not present” transactions which is simple and just requires an update in the card technology used. This technology has been available for quite a while now and involves the addition of a digital authentication system to the actual payment card.
I have seen many proto-types of this technology, such as the EMUE card (featured in the pictures), which displays a uniquely generated LCD number on the card, which is then typed in by card holder when making a “card holder no present” transaction, such as an internet payment. The system checks the number is valid and if it is, this proves the card is actually present as the payment is made. In addition there is a PIN entry on the card which is used to create the generated number, proving the actual card holder is also present. This type of card effectively would turn all “card holder not present” transactions into “card holder present” transactions. This card is not more bulker than a normal card, so still works in ATMs.
If the payment card industry took these steps, not only would this dramatically reduce card fraud by vast amounts in my view, but it would remove the security burden of protecting card holder data. Payment processors and merchants must  comply with the 260 security requirements of the Payment Card Industry Data Security Standard (PCI DSS), I question whether PCI DSS would even be required to oversee the protection of card holder data if the measures I have talked about was globally adopted, because the bad guys wouldn’t be able to commit much fraud with payment card information anymore, meaning card holder data would no longer require to be protected.

I don’t believe I’m saying anything radical here, or indeed anything new, as always any thoughts and comments on this is always appreciated. I can say I have raised these points with leaders in the global payment card industry, as yet no one has given me good reason why this wouldn’t work. The excuse I tend to be given is the fraud rates aren’t at a sufficient rate to bring about these sorts of changes in security. Some might say the payment industry are happy taking the fraud hit, and passing on the fraud costs on to merchants and ultimately consumers through PCI DSS related costs and fines, while the inconvenience to customers who actually get hit with fraudulent transactions on their credit card and bank statements, mainly due to no fault of their own, is of little conscience.

Information Security is often a game of cat and mouse, with the good guys introducing security measures and bad guys finding ways around the security measures, then the good guy’s introduction new security measures and so on. The question is, has the payment card industry stopped playing the security game of cat and mouse? The answer is within the magnetic stripe on the back of your payment card.