Credit card companies and banks have long pushed for a sustained and decisive shift from vulnerable magnetic stripe cards to more secure smart cards, or “chip” cards, except the looming emergence of banking via mobile devices may add another complex layer to bank authentication into 2013 and beyond.
Over 1.5 billion EMV (EuroPay, Mastercard and Visa) smart cards have been issued, and 22 million point-of-sale terminals (POS) can accept them globally up to Q4 2012, according to research gathered by the Smart Card Alliance, a non-profit industry association that promotes the adoption of smart card technology. Although this makes up about 76% of POS terminals worldwide, the number actually excludes the US market.
The reason why is because the US is among the last countries to fully migrate to chip cards, and that growing adoption looks to intersect with the bubbling promise surrounding mobile payments. For a smoother transition, banks and financial institutions have to deploy authentication standards that would be very difficult to intercept, says Andy Rolfe, chief technology officer at Authentify, a security and authentication provider.
“The most common fraud these days is ‘man-in-the-middle’ or ‘man-in-the-browser’,” says Rolfe in an interview. “That's why banks are shifting to transactional verification and more triangulation. It’s like an out-of-band model that we use where instead of delivering additional security credentials or questions to the end-user over a potentially compromised channel, we do it over the phone through voice, so it's more difficult to compromise.”
Authentify calls this “2CHK”, which is essentially a two-factor authenticator that either uses voice on a mobile phone or a secure second channel on a computer. Two-factor authentication effectively forces end-users to provide a second piece of information or credential to complete a login or transaction process.
Rolfe adds that banks, financial institutions and e-commerce merchants have used customers’ mobile devices as a second factor by texting one-time passwords to them. Customers would then enter the code to confirm and complete transactions or logins, a process he believes has proven to be fraught with exploits, particularly to financial malware like Eurograbber Zeus variants.
Bad Apples
In July, a security researcher in Germany noted a similar problem with chip cards when he found that POS terminals – particularly the Artema Hybrid Terminals made by VeriFone Systems – could be vulnerable to malware that would be able to steal credit card information, regardless of whether cards were swiped or inserted. VeriFone denied that any merchants or consumers were at risk. Although the findings were unsubstantiated and unsolicited, the publicity generated from the research laid scrutiny over the security assurances of credit card companies and manufacturers like VeriFone. US merchants weren’t affected because they didn’t deploy those specific terminals, except VeriFone had won a $35 million contract to supply Washington, DC taxi cabs with payment terminals only a few days prior.
As an ethical hacker, Caitlin Johanson wasn’t surprised to read that report. Now employed at a startup called CORE Security, she had previously worked extensively on helping banks and financial institutions recognize flaws in authentication standards.
“It doesn't matter how secure they say something is, even the three-way handshake – the terminal that processes the transaction has to know the person that swipes it, and the card has to know everyone”, says Johanson. “It only takes one person to disrupt that process. A disgruntled employee who stole passwords is one thing, but someone who puts a sniffer inside that terminal to intercept those transmissions is another, especially if it’s hard to detect.”
In the same vein, she’s equally cautious about how EMV relates to mobile payments and transactions.
“A 2CHK system is certainly less risky than a code delivery method. Voice is still a tricky authentication method to compromise, but if banks and financial institutions save voice notes and categorize them to their respective customers, then there’s a database of voices cyber attackers could target instead”, she warns.
Mobile Shifts
Though not entirely the same as mobile payments, research from Javelin Strategy and Research found that 33% of US consumers used mobile banking as late as November of 2012, up from 24% in 2011. Forrester Research also accounts for growth in both smart card adoption and mobile banking, with a European-focused report in July that suggested mobile banking was the most important innovation for retail banking in this century.
Eve Maler is the principal analyst serving security and risk professionals at Forrester in Massachusetts, and while she didn’t author that report, she agrees that demand for more mobile transactions in greater sums of money will force banks to not only secure transactions even further, but also raise limits on how much their customers can transfer.
| "Authenticating a user with a solid two-factor method can be rendered useless if an attacker compromises [an] entire [mobile] phone" |
| Eve Maler, Forrester Research |
“Our research has found that smart cards have demonstrably reduced fraud, and that mobile banking is on the rise, but there are still risks that have to do with the devices themselves”, says Maler. “Authenticating a user with a solid two-factor method can be rendered useless if an attacker compromises the entire phone. Banks, as well as the companies designing the mobile operating systems, will have to help educate their customers on protecting their devices as mobile malware begins to mature and propagate.”
She expects more functionality to be made available that leverages digital certificates and digital signatures for things like transaction signing that should add convenience for consumers when hidden behind the cloud or functions those mobile apps are accessing.
The fact that near-field communication (NFC) is still in its infancy also means that mobile payments and deploying the terminals to enable them still have a way to go, says Andy Rolfe. Even so, he’s optimistic that the shortcomings identified in smart cards and mobile phones could actually help consumers be more aware.
“If you can leverage things like the secure element the NFC folks are talking about and security tools within the [operating system] platform, banks can leverage that intelligence to help detect fraud”, he says. “Oftentimes, fraud and security is about looking for odd aspects, odd patterns that are not common to the individual you think you're dealing with. The more data you have, the more you’re able to detect those errant transactions.”