7 Things You Should Know…

7 Things You Should Know About Secure Payment Technology

Despite the existence of EMV and Apple Pay, we’re a long way from true payment security, especially in the US.

 
 The summer of 2014 was defined by point-of-sale malware and retail breaches — Backoff at UPS, BlackPOS at Home Depot, and the like.

With such threats out there, merchants have had to pay more attention to secure payment technology. But most of it doesn’t have anything to do with malware lifting payment card data off of PoS terminals. Rather, the principal goal of new tech is to simply prevent PoS terminals from ever holding that data in the first place — so even if attackers can compromise a terminal, the data they slurp off is of no use to them.
Here are a few things you should know about the state of secure payments today. 
image: “alec – Mr. Money Bags,” by Aisle22

Data lifted off magnetic stripe payment cards fetches a high price on the black market because it can be used to print counterfeit cards, and skimmers make it relatively easy to steal. Payment cards equipped with EMV chips — for “Chip-and-PIN” transactions — eliminate that particular risk.

Yet, while 99.9% of PoS terminals in Europe are chip-enabled by now, the U.S. is one of the last countries to adopt EMV.
“We should have done it five- to seven years ago,” says Avivah Litan, vice president and distinguished analyst for Gartner. “Now it will still take us another two- to four.”
Al Pascual, director of security, risk, and fraud for Javelin Strategy and Research, explains that part of the reason for the disparity is that European merchants needed the technology more (or thought they did). In the U.S., most card-present payments are authorized at the time of purchase, yet, in Europe, there are still many purchases made “offline” — which makes the protection provided by EMV more important.
Card issuers, not merchants, have usually been the ones to absorb the costs of fraud. So for them, there’s reason to put EMV chips into cards. (Though, they’ve still been slow to do it, stating that customers weren’t asking for it, merchants weren’t accepting it, and therefore it wasn’t worth the investment of replacing cards, which is approximately $1 to $2.50 per card.)
For merchants, EMV is just another thing to have to implement — at the cost of $300 to $400 per terminal — and why bother, if the banks aren’t even issuing chip-equipped cards?
In October 2015, the grand “liability shift” takes effect. From then on, in the event of payment card fraud, whichever party has the lesser security is the one to be stuck with liability. So, if the card issuer has put an EMV chip in the card, but the merchant has not updated their PoS terminals to accept EMV, then the merchant is liable; and vice versa.
“Monopoly Money [Explored],” by Jason Devaun

As Litan explains, attackers are finding ways around EMV. Part of the reason they’re able to do it is that card issuers relax their fraud protection controls on EMV purchases.

She provides the example of a group of attackers in Brazil who were able to complete fake EMV transactions using stolen magstripe data. As she explained in a recent report:
They took the stolen card data and attached to it dummy cryptograms and dummy one-time codes that are part of EMV card transaction sets, and successfully transmitted payment authorization requests over payment processing networks to EMV and non-EMV card issuers across the globe. These fraudulent transactions were subsequently authorized and settled, and the fraud scheme succeeded against non-EMV (only magstripe) U.S. card issuers and EMV card issuers in different countries.
EMV card issuers outside the U.S. authorized these fraudulent EMV transactions because their controls simply looked for the EMV transaction indicator, which was enough for their authorization systems to approve the card payment request. The EMV issuers were caught off guard because they had not implemented “handshakes” for the transaction’s EMV cryptograms and one-time codes.
“They relaxed fraud controls,” says Litan, “so they got caught with their pants down.”
Attackers targeting Home Depot stores in Canada found another way around EMV, leveraging the fact that PoS terminals have to accept both EMV and magnetic stripe cards. They infected point-of-sale terminals with malware that social-engineered shoppers. The PoS would simply prompt customers to swipe their cards — even if they had EMV-equipped cards. They’d lift the magstripe data, then complete the transaction through the EMV chip.
Even when tokenization technology is added to the mix, Litan explains that malware authors can steal the magstripe data before it’s tokenized. The only way to prevent that is by implementing point-to-point encryption (P2PE).
“P2PE is really what the retailers are focused on,” says Litan, but unfortunately most P2PE solutions have not yet been PCI-certified, so some retailers are hesitant to deploy them. Merchants get some breaks on their PCI audits if they use P2PE, but only if they use PCI-certified P2PE applications.
“rolled my age,” by john.d.mcdonald

If, because of tokenization, merchants and payment processors don’t need to actually see payment data, then attackers won’t need to steal payment data — they’ll just need to steal tokens.

“Token vaults will become a huge target,” says Pascual. “That’s where the [attackers’] focus will be.”
So why bother with tokenization?
“You could teach a 5-year-old how to skim cards,” says Pascual, but “you’re not going to teach a 5-year-old to break into a token vault.”
“Monopoly Free Parking Ver2,” by StockMonkeys.com.

In September, Apple announced details on the iPhone 6 and Apple Watch, including that the new devices will be equipped with Apple Pay — a contactless mobile payment scheme that tokenizes payments, never communicates credit card data to the merchant, and essentially turns an iPhone into a mini point-of-sale terminal.

As Apple describes it:

With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted, and securely stored in the Secure Element, a dedicated chip in iPhone and Apple Watch. These numbers are never stored on Apple servers.
So, the only point of failure is on the card-holder’s Apple device, not on an Apple server that could be targeted by attackers. There are certainly benefits to that system, but Apple Pay raises a new question: do you want Apple, not merchants, to be responsible for payment data security?
“While for those who work in fraud and security there is still a bit of a question mark,” says Pascual, “the average consumer, they don’t care.”
In any case, Apple Pay is “worlds more secure than what you’re using now,” says Pascual. “Regardless of whether or not Apple has the payment security chops, it’s better than the pedestrian, old-school” magnetic stripe methods that are currently in use.
Litan agrees: “It’s actually very secure,” she says, noting that it is not built on a proprietary Apple tokenization protocol, but rather the EMVCo tokenization standard.
“Monopoly Thimble,” by Rich Brooks

Merchants are more likely to invest in new payment tech if it reduces “friction” — in other words, if it speeds up the transaction process or reduces the number of hoops a potential buyer has to jump through to complete a purchase.

Conversely, any tech that increases friction is usually avoided. Case in point: 3D Secure — the technology behind Verified by Visa, Mastercard Secure Code, and American Express SafeKey.
3D Secure helps prevent fraudulent card-not-present transactions, like those made through online stores. When a user initiates a purchase, they are redirected to a separate web page — the issuing bank’s 3D Secure authentication page. If the card holder authenticates successfully, the transaction will proceed.
3D Secure is “being used pretty extensively in Europe,” says Litan. “But Amazon would never use it,” because it adds friction, eliminating “one-click shopping.”
“Monopoly,” by Mike Mozart

Apple Pay isn’t the only new payment technology out there. There are rumors that Google is testing something called Google Plaso — a point-of-sale system which presumably reduces friction by allowing users to complete purchases simply by telling the cashier their initials.

There’s the “Hidden Mastercard” revealed at CES, which aims to make the transition from magstripe to Chip-and-PIN a bit smoother and more secure. It looks like a card, but it’s really a little computer. The user must authenticate to the card itself, and then is given a one-time card number — which appears on the front of the card and is fed into the magnetic stripe and the EMV chip. Once the purchase is made, the one-time card data is erased.
There’s also Natural Security, a payment technology that uses biometric authentication, which has been around for years, but still hasn’t caught on.
There will, no doubt, be others — but how different will they be, really? Pascual says there’s “so much money tied up in cards,” and it would be at least 10 years before we move away from cards and onto some other form factor.
Further, explains Litan, all of these technologies are still linked to bank accounts. The only payment tech that is truly different are alternative currencies, like Bitcoin, which comes with its own set of problems.
Do any of the new payment technologies pique your fancy? Do you think Apple Pay is all it’s cracked up to be? Do you think EMV adoption will really accelerate when the liability shift happens in October? Let us know in the comments below.
*****************************

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

 

Commodore PC Still Controls Heat and A/C At 19 Michigan Public Schools

Commodore PC Still Controls Heat and A/C At 19 Michigan Public Schoolsfrom the if-it-ain’t-broke dept.

jmulvey writes:

Think your SCADA systems are outdated? Environmental monitoring at 19 Grand Rapids Public Schools are still controlled by a Commodore Amiga. Programmed by a High School student in the 1980s, the system has been running 24/7 for decades. A replacement has been budgeted by the school system, estimated cost: Between $1.5 and 2 million. How much is your old Commodore Amiga worth?

Posted by Soulskill a day ago

15 Most Creative Forced Perspective Pictures 15 Most Ridiculous Signs You’ll Ever See 3.3K 39 Connect: Follow on Facebook Follow on Twitter 18 Clever Inventions That You Need In Your Life Advertisement 18 Clever Inventions That You Need In Your Life

How did people live before the Internet, or the car, or the various other things that we’ve grown so accustomed to using every day? Some inventions are so amazing that they make you really wonder how anyone could’ve gotten by without them.

Heated Butter Knife

Heated to the perfect spreading temperature in about thirty seconds by two AA batteries, this knife makes difficult spreading a thing of the past. Only the tip of the knife heats up, and a flashing LED alerts the user that the heating element is active.

Self-Cleaning Hairbrush

The self-cleaning hair brush has a simple design, a rubber pad sits in the “bed” of the brush under the bristles. When it is time to clean it out, just pull the pad up over the bristles, then dump the hair.

Solar Powered Tent

This 36 square foot tent features a 50Wh battery pack to power all of your electronics. The tent, battery pack, and solar panel will set you back about $1,000, so it is for the serious camping fanatic.

Euphori-Lock Ice Cream Lock

A two piece twist lock with a pre-assigned combination is now available for your pint of ice cream. Made by Ben & Jerry’s, this lock fits all pints, and has gotten pretty good reviews. Engraved with the quote, “I’m terribly sorry, but there is no ‘u’ in ‘my pint,'” it keeps the ice cream thieves at bay.

Wine Sippy Cup

The sippy cup of mom’s everywhere, this sippy is a double walled tumbler, with a wine glass inside, all covered by a spill proof lid. It can hold ten ounces of wine, and is 100% BPA free. Vino to go anyone?

Cover Blubber

CoverBlubbers, which are made of StickyRubber, are being sold as a safer alternative to traditional plastic wrap. CoverBlubber form fits to whatever shape it is placed on, and forms an airtight seal. It is available in four stretchy sizes, and colors.

The Lockitron

The new smartphone app enabled, front door locking system. It simply installs over your old lock, and then you use the app on your phone to lock or unlock it from anywhere. Since it is portable you can take it anywhere, and you can still use your old keys with it!

Mommy Hook

A huge clip with a foam grip, it can be used with strollers, carts, etc, to hold all of your bags. Just put your bags on it, then snap to your wheeled device, or simply hold it and save yourself from hurting your hands.

Deglon Meeting Knife Set

At $599 a set, these are knives for the serious culinary enthusiast. Four knives that fit inside of each other, and into their block, all made from ONE piece of stainless steel. The classiest of all cutting utensils.

Pancake Plett Pan

This pan has four, shallow wells to cook pancakes, eggs, etc, in uniform roundness. Made with 20,000 diamond crystals, it creates a non-stick surface that can’t be beat. The pressure-cast aluminum allows heat to distribute evenly, making your meal perfect every time.

Scrap Trap

Fitting under the cabinet, over the drawer or door, the Scrap Trap hooks in for easy scrap clean up in the kitchen. Use the included utensil to push scraps into the 2 quart bowl, detach, and dump. Truly easy kitchen cleanup.

Secret Compartment Water Bottle

A water bottle with a built in secret compartment designed to hold credit cards, cash, key, or whatever you can fit in there. Great for anytime you can’t carry around your wallet. With a large mouth for ice cubes, and dishwasher safe, it’s a convenient water bottle as well.

Glowing Toilet Bowl Strip

Why do you need a strip of glow in the dark tape to put around the rim of the toilet?Well, it’s useful to both genders, as men won’t make a mess on late night restroom trips, and women won’t fall when the seat is left up.

Rechargeable USB Batteries

Rechargeable batteries with USB ports to plug in your electronics. Super compact, they are easy to take anywhere. Easy, portable, charging.

Oven Rack Guard

These are silicon guards that fit to the edges of your oven racks. They are heat resistant, and used to minimize the risk of burns. The textured silicon makes for easy gripping as well.

Brush Flask

A flask hidden within the shape of a brush. It holds six ounces, and unscrews at the bottom of the handle. Nobody will ever guess it isn’t a brush!

Hands Free Book Holder

Expanding and contracting to hold your book or fit in your bag, this holder can go anywhere. Simply insert book and begin reading, you will only need to turn the pages. Great for multitasking!

Pen Scanner

A pen shaped scanner that scans printed text and sends it straight to your computer. Just run it over the text you need scanned and you are done. Note taking suddenly became a lot easier.

//

Trojanized, Info-Stealing PuTTY Version Lurking Onlinefrom the at-your-command-prompt dept.

Original Article
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you’re installing PuTTY from a source other than the project’s own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article:

Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. “Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as ‘root’ access) which can give them complete control over the targeted system,” the researchers explained.

The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the “About” information for the app.

Posted by timothy 10 days ago