What security lesson can be learnt from the Global Payments data breach?

16 May 2012

By Pat Carroll, chief executive,ValidSoft

As often happens at the turn of the year, as I was thinking about the different types of security breaches that had taken place in 2011 and about the fraud vectors that I thought might be important to keep an eye on in 2012. Along with a focus on the security of the mobile channel as m-banking and m-payments take off, and the need to raise awareness about the opportunity fraudsters are finding in social media sites for phishing for information on customers, hacking was high on my agenda.

Attacks on Sony PlayStation and Microsoft Xbox last year both offered proof that fraudsters had found new channels through which to obtain bank details. Fraudsters’ increasingly sophisticated methods were illustrated in March 2011 through the high profile RSA data breach, which resulted in a mass replacement of RSA’s SecureID tokens. The certificate authority model was also infiltrated, when a hacker gained access to four high-profile certificate authorities and issued false certificates in their name. If even the data of the security and certificate providers is being attacked then the nature of the game is changing. Now another high profile attack came to light this year: against Global Payments.

Global Payments
Despite the warnings, here we are again, this time even closer to the money with a hack versus a payments processor, such as Global Payments. The high-profile data breach revealed earlier this year puts the credibility of users such as Visa, MasterCard and the major card issuers and a security vendor at stake. Indeed, the former briefly dropped Global Payments from its approved registry while compliance checks were applied.

Whereas previous indications were that the Global Payments breach had occurred sometime between 21 January and 25 February 2012, it has now come to light that cardholder data may in fact have been compromised as early as June last year, without attracting publicity at the time.

It’s still unclear exactly what data was compromised and when, but it was the Gartner fraud analyst Avivah Litan who, after speaking to international law enforcement agencies in Europe recently at a trade show, who said: “There is much more to this incident than what the public is being told”. With Global Payments saying it will continue to process transactions for all the major card brands, we can only hope that whatever problem existed has now been fixed. But is that the best we can hope for?

Consequences of the attack
As the amount of data consumers and bank customers give away on a daily basis continues to increases, the prize on offer for hackers grows, as does their determination to steal personal details to launch fraudulent attacks. Due to the fact it seems to be very difficult to prevent fraudsters from accessing personal data, with an arms race of protective measures and countermeasures underway, perhaps a change in thinking is needed? One whereby fraudsters are prevented from using or profiting from any data that is stolen.

As much as card schemes should be insisting on the best security provision from their service providers and should be driving forward demands for development in this area, the card schemes are only ever going to be as secure as the security solution they choose. In the traditional world, pre-social media, mobile payments, phishing attacks, Trojans and the like, certain levels of security were acceptable. But things have changed and the traditionally used methods are no longer enough. The financial services industry needs to up its game.

Increasing use of mobile and online channels for things such as banking, payments and shopping give fraudsters’ new channels from which to steal, and in which to use, stolen data. New security architectures that stop fraudsters in their tracks in all areas need to be constructed from the ground up using authentication and transaction verification tools.

Robust regulation and technology
There are two aspects that should be considered when thinking about this new approach to security – better real-time technological protection and standards. First and foremost, regulation and standards in this area need to become more robust. For example, the Global Payments data breach has called into question the credibility of the Payment Card Industry Data Security Standard (PCI DSS) stipulations. PCI DSS encompasses a set of requirements that were established to ensure that all merchants who process, store or transmit credit card information maintain a secure transaction environment. PCI DSS conditions apply between card networks and the acquirer, and between the acquirer and the merchant. In an article, PCI DSS expert and Qualified Security Assessor, Colin Dixon, of the Ascentor consultancy, reported that Global Payments, as a third party processor, has no obligations here, which is why it is still processing payments.

It would have been down to the discretion of those affected as to whether to continue using Global Payments, as Visa illustrated after deciding to run a compliance check after the breach, but some commentators have suggested that the small number of processors in the market means that card schemes are reluctant to part company with their chosen supplier. What is more, the reality is that the revenue that would have been lost by blocking Global Payments transactions probably took that option out of the equation.

How many layers?
More robust regulation also means addressing the two-factor authentication issue. In my opinion, two-factor authentication is no longer sufficient to prevent fraud and there is no need for standards to be limited to recommendations of only two-factor when technology exists that offers a greater level of security and still doesn’t hamper customer experience. Other guidelines in this area such as the European Central Bank (ECB) and US Federal Financial Institutions Examination Council (FFIEC) are only a starting point: the industry needs to get up to speed on using multi-factor, multi-layer authentication tools, including an out of band element.

What I mean by this is that whereas now a consumer probably just uses a PIN or password to authenticate a transaction carried out on the phone or online, it’s now possible for that authentication process to be made more robust by using a combination of visible and invisible layers of security to verify a transaction. Card processors should be looking to adopt this kind of multi-layered, multi-factor approach to authentication when they process a consumer’s transaction because it makes it far more difficult for the fraudster to impersonate the genuine card holder. This multi-layered approach can be enhanced further with a voice biometric factor to make a fraud that much more difficult. As ever with security, deciding whether to add this layer should be based on the level of risk specific to that transaction (this is something that a financial institution’s risk analytics decision-making technology can determine).

The other important element of making this approach to transaction security work is that it needs to work in real-time: it is no good for the customer to be alerted to the fraud after it has taken place. This will not only save the customer from inconvenience, but it will also save card processors, card issuers and banks a lot of money that would have otherwise been spent on investigating the fraud.

As we approach the mid-way point in 2012, my thoughts haven’t quite yet turned to what I think the major threat vectors might be in 2013. But I cannot help wondering if, unless the major players in the payments chain demand more from their security providers, we will see another high-profile breach. Financial institutions need to deploy security technologies that work on a multi-layer, multi-factor approach, rendering stolen data worthless. If it doesn’t happen, I may find myself pondering another year of high-profile attacks.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development