May 6, 2015
We may love the Hollywood movies about amazing bank or jewelry heists, armored car robberies, art scams and the like, but smart criminals figured out long ago that a good financial data breach is a much more lucrative form of criminal activity. And it comes with the added benefit of much lower risk of arrest and little chance of being shot at or even getting a cold working outside in the wee hours of the night.
Target, JP Morgan Chase, the Home Depot and some of the biggest names in banking and retail with some of the biggest IT security budgets in the industry have been hacked and customer financial data has been sold to the highest bidder. Losses are not calculated in millions, but in billions of dollars.
Data breaches directed towards consumer mobile devices are less appealing to hackers compared to hacking into a central server or merchant terminals that offer the financial data of millions of customers. When incidents of financial data breach peaked in 2013, hacking into servers constituted half of all the attacks. Still, the adoption of mobile proximity payments and the presence of sensitive financial data on mobile devices will definitely entice the tech savvy criminal out there. Instead of being protected by the simple offline nature of a plastic card, sensitive payment data on always-connected smartphones are naturally more accessible and potentially more at risk. A breach on a single smartphone can be the proverbial tip of the iceberg in a potential massive mobile payment fraud. A successful attack method has great value to criminals who may sell or share the method. Until that attack method is known and countermeasures can be implemented, all other devices with the same vulnerability are potential sitting ducks. A great deal of damage can be done before the exploit is identified and eliminated.
While data theft criminals may exploit existing hacking methods such as charge wares and ransom wares, increasingly sophisticated and diligent hackers will not fail to invent new strategies to attack phones to access financial data. Here are some of the issues keeping security professionals awake at night to prevent mobile payment fraud.
Malware such as Trojan versions of otherwise legitimate financial applications can be pushed by attackers to the devices via distribution platforms that are either unregulated or under regulated.
If financial data is not sufficiently secured in the phone and access protected, it is an open invitation to hackers. Financial data is exposed by analysis after a physical theft or by making the application send the sensitive information remotely depending on the degree and type of deficiency in security.
A breach in the application integrity is a serious threat since it can potentially expose scores of active applications in the field to the same threat. The attacker can potentially modify the application to send sensitive financial information to a server, cause the application to behave in an unwanted manner, or harvest the IP from inside the application that is not well protected.
Any deficiencies in the interaction of the mobile application with other entities, such as the contactless reader and the backend servers, will also be potentially exploited by mobile payment hackers. Weak authentication or a flaw in message security can jeopardize not only the mobile payment application but also the associated server. A capture and replay attack on the open un-encrypted communication with the contactless reader has been demonstrated recently (e.g. Apple Pay transaction replay demo).
To counter these threats several security strategies are required to prevent mobile payment fraud. The best security practices dictate that security be a design principal across the board. Security must be baked in from design to deployment; beginning at the firmware level and continuing through middleware on to server-based platforms. The role of smartphones in mobile payment means these principles are especially important to on-device software.
Malware penetration in un-regulated channels is as high as 33%. Distribution level vulnerabilities can be addressed by better regulation of application distribution channels to prevent exploitation by hackers pushing malwares and Trojanized apps into devices. In the absence of sufficient regulation, the fall back strategy is to enforce strict security policies at the application level, the lack of which in the less secure applications is exploited by hackers. Strict rules around enforcement of app certification and distribution are also important.
The first strategy against malware is to actively test for new vulnerabilities, discover malware signatures as soon as possible, and update the mobile system level guards (e.g. App verify from Google).
Phase out less secure profiles: Issuers can do away with card profiles that are prone to replay attack in the unsecured communication with the contactless reader. This includes those profiles that do not interactively create cryptograms with the readers.
Restrict transaction limits: Tokenization reduces the amount of vulnerable and information susceptible to compromise stored in phone memory by replacing sensitive data such as the personal account number (PAN) with an alternate identifier or token. Issuers can consider keeping the upper transaction limit for the token low enough to deter attackers.
Certifying authorities can raise the bar high enough for certifying applications that hold financial data. This means defining strict security requirements in application security areas such as data storage, application integrity and communication.
Adaption of techniques such as obfuscation, white-box cryptography and proprietary protection strategies within the application code against various threats by the application providers will help minimize the threats. Software on-device must defend against static code analysis and reverse engineering. This is all the more important in case of devices that do not have hardware based security such as a secure element to store sensitive data. Care must be taken that the security measures do not negatively affect the performance and the user experience.
Application providers and issuers can warn end users about the threat possibilities and educate them about best practices in using the mobile financial applications to minimize threats.
History has shown that cyber criminals are not discouraged by even very difficult to find vulnerabilities. They are known to devise novel ways to beat the technology and commit fraud. Vendors and participants in the mobile payments ecosystem must identify all the vulnerabilities, address them sufficiently, and constantly reevaluate security. It’s either that or become the unwilling protagonist in a B movie production about a patsy getting scammed out of millions. And as they saying goes, if you don’t know who the patsy is, it’s probably you.