Thursday 23 January 2014

PCI London: How the Payment Card Industry could kill PCI DSS

Today (23rd Jan 14) I was a panellist at PCI London 2014, quite a few people were interested in what I had to say, on removing the need for PCI DSS compliance completely by securing the payment cards further. What I said was nothing new, I have been bleating on about this since attending the first PCI SSC meeting back in 2007. Still it is a bold thing to say, especially at a conference where Visa Europe and the PCI Security Standard Council are promoting PCI DSS compliance in the UK, and with event sponsoring vendors promoting their PCI DSS compliance servicing wares.  I'll summarise the views which I expressed at PCI London, which I believe could draw an end to PCI DSS compliance.
Introduce Global Chip & Pin (EMV)
Chip & Pin provides two-factor authentication, this means in order for the cardholder to make a payment,  the cardholder requires knowledge of a 4 digit number, and possession of the payment card. This is known as a 'cardholder present' transaction, typically these are 'over the counter' or 'check out / tills' payments. The UK introduced 'Chip & Pin' in 2006, since then the payment industry has seen a drastic cut in face to face card fraud transactions. However the US have been dragging their heals for years, resulting in breaches like Target, where the bad guys only need to steal the magnetic stripe and obtain the cardholder data, giving them ability to commit fraud with thousands of payment cards.
Remove the Magnetic Stripe from the Cards
The magnetic stripe makes it easy for card fraudsters to clone cards, they can simply create usable cloned cards by copying stolen magnetic stripe information onto new fake cards. There is nothing to prevent anyone from reading the details held on a card's magnetic stripe, while writing to a magnetic stripe is a simple and cheap process. The magnetic stripe holds all cardholder data (track 2 data), but it is a 1970s technology and has not evolved since it was introduced. The chip technology is different, it is far more secure because the details held on the chip are encrypted, chips are very difficult to clone and it is a technology that is always evolving.
A Magnetic Stripe, A Card Fraudsters Delight

Introduce Two-Factor with cardholder not present payments (Telephone & Ecommerce)
A 'cardholder not present' transaction is where you cannot be sure the actual owner of payment card is making the payment, you can't see him or her.  These are typically internet (ecommerce) payments and telephone payments (MOTO). Most of the card fraud occurs with these types of transactions, certainly nearly all of the UK card fraud occurs here. 

To secure cardholder not present transactions, just as with cardholder present transactions, the solution is simple, introduce a two-factor authentication system. There are several ways this can be achieved, with many examples of concept payment cards which include a pin entry and number return on the plastic, just as we find with remote access tokens supplied by most banks. So the technology is available, yet there are no plans by the payment card industry to role this out on mass.

Two-Factor Payment Card

In taking these steps, cardholder data would no longer require any protection, as having possession of the 16 digit number, expiry date and security code (if needed any more), would not be enough for a fraudster to be able to commit card fraud. This is due to the second factor requirement, namely the cardholder knowing their 4 digit number. Cardholders already have and know a 4 digit number, as pretty much everyone uses ATMs. So in conclusion, if cardholder data no longer requires protecting, then complying with PCI DSS is no longer required. 

The reason we do not have a more secure payment cards and payment processing systems today, is because the card industry is not prepared to invest in improving security. They are standing still on security, and through PCI DSS compliance, they are asking someone else to foot their security bill, protecting their outdated card security, the magnetic stripe is testament to this, as it is a 1970s technology which has not changed, and makes every payment card in the world insecure.

PCI DSS is about protecting someone else's data, my view is the card brands and issuers should not be passing this risk and liability over to their 'customers' to deal with, but they should be dealing with the problem themselves. Chip & Pin has been proven to drastically cut payment card fraud, it is about time the payments industry got their finger out, and stop standing still with the plastic card security, and finish the job in securing cards to a standard acceptable in the internet age.

Tuesday 14 January 2014

UK Information Security Threat Horizon 2014

I was asked for my views on the Threat Horizon, specifically what attacks and trends do I expect to impact UK businesses in 2014, so I thought I'd share my thoughts.  The following are my own views, and they are not based on any specific studies or reports, but on what I've generally read, discussed and trends I have seen affecting UK businesses in the last couple of years.

Cloud Data Protection
UK businesses continue the 'Cloud Rush', meaning more and more confidential data is going into the cloud. I don't think this is so much a Snowden privacy revelation issue with government spying, but I see the problem is that UK businesses are being taken in by the marketing cost saving glitz, and so are blindly trusting cloud service providers. At the end of the day a cloud service provider is a third party service provider. A cloud service purchased by a business, where the third party is charged with adequately protecting confidential information, must be properly vetted and risk assessed. I think there will be UK businesses in 2014, that will come a cropper, and suffer a data breach due to inadequately secured cloud service.

Distributed Denial of Service attacks (DDoS) are increasingly hitting UK businesses, both large corporations and SMEs.  The source of such attacks range from very public Hackivisim to very private blackmail attempts. Most UK businesses don't have decent or any DDoS defences in place, hence why this attack vector is increasing in popularity in the UK.  

Windows XP / Office 2003
After April 2014, Microsoft will no longer support Windows XP and Office 2003, this means no further security patches will be released to resolve any newly discovered vulnerabilities in Windows XP and Office 2003. As a result I expect Windows XP to be targeted in 2014. However I think if a serious enough vulnerability was uncovered in Windows XP, Microsoft would still patch it, but this is my own assumption, so don't quote me on that. But the real problem here is many UK businesses, and indeed many citizens in the UK, will still be using Windows XP past April 2014.

Malware will continue to become ever more sophisticated, and there will be more crafted and targeted malware attacks against UK organisations. Sure you don't have to be Mystic Meg to predict this one, as this is a trend that continues year on year. Having said that, its pretty clear that Ransomware is making a big comeback at the moment, which may well have a serious impact against some UK SMEs in 2014.

Mobile devices will increasingly be targeted, as it does every year. Nothing new, but mobile platforms are increasingly becoming the lowest hanging fruit in gathering confidential information from UK businesses, especially those that do not adequately control their Bring Your Own Device (BYOD) schemes and employee devices.

Finally I predict there will be plenty of UK businesses, that will suffer data breaches for not providing even the basic level of information security. This is a no brainer prediction for 2014 for most in the InfoSec industry, yet unfortunately I will be proven right on this one.