Marat Vyshegorodtsev — how-[not]_to_shoot_yourself_in_the_foot_with_credit_cards


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Marat Vyshegorodtsev — how-[not]_to_shoot_yourself_in_the_foot_with_credit_cards

  1. 1. How [not] to shoot yourself in the foot with credit cards Marat Vyshegorodtsev System Security Office Rakuten Inc.
  2. 2. Bio Marat Vyshegorodtsev Key areas of expertise: payments and security
  3. 3. About Rakuten
  4. 4. Worldwide growth E-commerce in 14 countries and regions All services and businesses in 27 countries 2011200920082005 201320122010 INVESTMENT 2014
  5. 5. History of the credit card
  6. 6. Where is the problem?
  7. 7. Where is the problem? Here
  8. 8. Legacy issues • Merchants still use imprinters in 2014 • Magnetic stripe will stay forever • People will use credit card numbers for online transactions
  9. 9. Credit card data protection Hard and scary data security standard up to $100,000 to implement at one site
  10. 10. Scale of the problem • 100+ businesses processing credit cards in 27 countries • Few security engineers in Japan • $100,000 per site
  11. 11. Approach Tokenization — replace credit card number with some random string that only makes sense to your service Keep real credit card numbers in one secure, dark and dry place If stolen, nobody can use these tokens
  12. 12. Approach Contain insecure mechanism Replace it with secure system Provide interface TokensCards Pay with Token
  13. 13. Using an existing solution It is tempting to map one credit number to a unique token: • Fraud analysts want it • Marketing wants it • Much easier to see things in the database
  14. 14. Watch out for fingerprints ① ② ③
  15. 15. Problems with one-to-one mapping
  16. 16. Problems with one-to-one mapping Card IIN Account number Check digit
  17. 17. Problems with one-to-one mapping • Only 8 digits to bruteforce per one issuer • Attackers can easily build a dictionary of all tokens to card numbers • Attack is easy, reissuing all tokens every time is hard
  18. 18. Unique token every time • No unique identifiers for cards in Rakuten • Same credit card produces different tokens every time it is inputed • But how to do analytics?
  19. 19. Allowed to store and display • Masked PAN: 4297 69xx xxxx 6789 • Cardholder name: Taro Rakuten • Expiration date: 02/2020
  20. 20. Allowed to store and display • Masked PAN: 4297 69xx xxxx 6789 • Cardholder name: Taro Rakuten • Expiration date: 02/2020 Duplicates?
  21. 21. Big data to help! We ran a query to see how many duplicates we have among our users Among total Rakuten users (~100M by now) around 250 duplicates were found It is a bit hard to tell precise number, because we only can see masked PANs 0.00025% of users may have similar looking cards
  22. 22. Ok, how about issuers then? — Hmm… Issuers don’t have much power over their customers’ security — Let’s give them that!
  23. 23. Welcome 3D-secure! Take one insecure mechanism Add another insecure mechanism 3D-SecureCards
  24. 24. 3D-Secure
  25. 25. 3d-secure on mobile apps • You can’t use native components. Only WebView, only hardcore! (and you don’t see the URL in most of the cases) • Responsive UI for mobile 3D-Secure pages? No, never heard. • Frustration of the customer? That’s the shop’s fail.
  26. 26. The future of payments Credit card will remain the main interface to your bank account Companies will make secure and convenient interfaces to your credit cards: • NFC, PayPal Beacon or Passbook in physical world • Secure payment gateways in the Internet • Facebook + WhatsApp + payments, Gmail + Google Checkout, more to come • 3D-Secure will die
  27. 27. Future: drop “credit card” from the equation If everybody uses new technologies, why do we need credit cards? • Banks are bad at creating unified Internet services • Americans can’t get rid of plastic
  28. 28. Thank you!