New trends in Payments Security: NFC & Mobile

New trends in Payments Security:
NFC & Mobile
www.sisainfosec.com
SISA Information Security

Speaker
Qualifications: PCI QSA, PA-QSA, CISA, CISSP, CEH, FCA, ISO 27001 Implementer, CEH, OCTAVE (SEI-CMU) Authorized
Trainer and Advisor, SANS Certified Web Application Pen Tester (GWAPT), Microsoft Certified Professional (MCP), VISA
Qualified Payment Application Security Professional (VISA QPASP)
Dharshan Shanthamurthy,
Founder and Chief Executive Officer
 Payment Security Expert. Worked on Aadhar initial security framework and was the lead author of the PCI DSS
Standard Risk Assessment Guidance document.
 Amongst the first PCI Qualified Security Assessors of the PCI Council. First PCI QSA in Asia.
 OCTAVE Authorized Trainer from Software Engineering Institute, Carnegie Mellon University.
 Author of the CPISI and CISRA Certification programs.
Email: dbs@sisainfosec.com Linkedin: dharshanshanthamurthy

Session Objective
Mobile and NFC Technology based Payments
Payment Card Industry Ecosystem
Challenges and Solutions with respect to payment security
Mode: Interactive

Mobile Payments

Global Mobile Payment Transaction Volumes
from 2015 to 2019 (In Billion US Dollars)
This statistic shows
the global mobile
payment transaction
volume from 2015 to
2019. The worldwide
mobile payment
volume in 2015 was
450 billion U.S.
dollars and is
expected to surpass
1 trillion U.S. dollars
in 2019.

Three routes for contactless payments

Near Field Communication (NFC)
Near Field Communication (NFC) is shaping the
future of mobility and is becoming the system of
choice for mobile payments.
NFC is a technology that has been around already
for years, but has gained much attention after
Apple announced that the new IPhone 6 line was
fitted with the technology for credit card-less
payments.
NFC is a short-range high frequency wireless
communication technology that enables the
exchange of data between devices over about a 10
cm distance.

Players likely to drive growth in global
mobile payments

PayPal
PayPal, Paydiant and mobile payments
PayPal has been an ecommerce force for years. In March, news broke of PayPal's plan to acquire startup
Paydiant, a platform that companies use to build branded mobile-payment and loyalty-card services. Subway,
Capital One and retail consortium Merchant Customer Exchange (MCX) already use Paydiant's platform,
according to the IDG News Service. Paydiant lets consumers pay for items via their mobile devices using NFC
and QR codes.
PayPal also said in March that it would sell NFC-equipped versions of its credit card readers to merchants.

Innovation by Amex
Amex also recently partnered with Jawbone to add mobile
payment features to the company's upcoming UP4 fitness
tracker.
American Express is experimenting with facial recognition
and wearable technology that could form the foundation
for new mobile-payment and security features
Amex tests new ways of using its payment services on
devices such as the Apple Watch and Google Glass in its
own tech development lab.SISA Information Security

Innovation by Samsung
Samsung has announced Samsung Pay, which uses two
different wireless technologies: NFC and magnetic secure
transmission (MST).
LoopPay developed the MST, which has been embedded
as a copper ring inside the new Samsung Galaxy S6
smartphones.
Samsung Pay, NFC and MST
Samsung Pay was launched in the summer of 2015

Samsung’s MST
Magnetic Secure Transmission (MST) is a technology that
emits a magnetic signal that mimics the magnetic strip on
a traditional payment card. MST sends a magnetic signal
from your device to the payment terminal's card reader (to
emulate swiping a physical card without having to upgrade
the terminal’s software or hardware). MST technology is
accepted at nearly all payment terminals with a card
reader. Some payment terminals may require software
updates. Simply select a card from Samsung Pay, and
transmit the payment information by moving your device
within an inch of the payment terminal. Your transaction
and payment information will be kept private and secure
with the use of tokenization. MST is more secure than
using a traditional payment card and is as secure as
paying with Near Field Communication (NFC).

Apple Pay
The Apple Pay mobile-payment and digital-wallet system
debuted in October 2014.
It lets consumers with NFC-enabled iPhone 6, iPhone 6
Plus, and Apple Watch devices pay in stores at
contactless terminals and buy goods using apps that
support the service.
Apple Pay's impact was significant and immediate.
More than a million credit cards were registered for use
with the service in its first three days of availability.

Vulnerabilities of Mobile Payments
New processes create new security vulnerabilities. Over-
the-air provisioning of payment credentials and
applications, for example, potentially creates new attack
vectors for eavesdroppers to steal and misuse customer
data.

The 2015 Mobile Payment Security Study, released by ISACA, showed that the growing concerns over
mobile security safety.
Basked on the survey results, ISACA ranked the following
risks and vulnerabilities associated mobile payments:
• Use of public WiFi (26 %)
• Lost or stolen devices (21 %)
• Phishing/shmishing (phishing attacks via text messages) (18 %)
• Weak passwords (13 %)
• User error (7 %)
• There are no security vulnerabilities (0.3 %)
Vulnerabilities of Mobile Payments

Risks Associated with Mobile Payments
Failure to understand exactly where and how sensitive account data is
stored and transmitted can prevent organizations from clearly
defining and implementing data protection solutions.
Phishing/smishing (phishing conducted over SMS): More often than
not, mobile phishing attacks targeted credit card and bank card data.
Insecure Coding: The app itself could also have coding or process
flaws, which can lead to leaked banking information.

Risks Associated with Mobile Payments
Device Theft: Additionally, if the device is lost or stolen, the stored
financial data could be whisked for malicious purposes. If you’re not
careful, your data and credentials could end up in the wrong hands.
A report from Kaspersky Lab highlights how mobile malware became
more sophisticated, with "mobile Trojans which could check on the
victim's balance to ensure the maximum profit."
Man-in-the-Middle (MitM) attacks via fake or malicious apps and data
breaches to take advantage of the new payment methods.

1983 Re-embossed counterfeit fraud
1988 Re-encoded counterfeit fraud
1989 Card not present fraud/ fraud applications
1991 Never received issued fraud
1992 Merchant fraud
1994 Identity Theft
2000 Skimmed counterfeit
2002 Communications interception
2007 Wireless/ Chip sniffing and card counterfeit/ Fake terminals
2010-14 Server Hacking/Malware/Memory Scrapping
Payment Card Fraud Evolution

Some more Mobile Payment Risks

Payment Data Breaches
The survey was conducted by the Ponemon
Institute. It involved a survey of 3,773 IT
security practitioners from more than a dozen
major industry sectors in the United States,
United Kingdom, Germany, France, Belgium,
Netherlands, Japan, India, Russian
Federation, Middle East and South Africa.
Industries represented include
communications, entertainment & media,
financial services, government, healthcare,
hospitality, IT Services, retail, technology,
transportation and utilities.

Hilton Hotel Breach
Hilton Worldwide was a target of an attack by means of a
malware that was installed on their point of sale (PoS) systems
at restaurants and shops in certain Hilton hotels including
Waldorf Astoria, Embassy Suites, and Hampton Inn and Suites.
Hilton announced ‘Customers who used their payment cards
between November 18 and December 5, 2014, or April 21 and
July 27, 2015, may be affected by the info-stealing malware.’
Hilton customers’ personal information such as cardholder
names, payment card numbers, security codes, and expiration
dates are believed to have been compromised by the PoS
malware, but no addresses or personal identification numbers
(PINs) were affected.

Starwood Hotels Credit Card Breach at
over 50 locations
Malware aimed at stealing credit and debit card information
was found on payment systems at restaurants and stores in 54
Starwood hotels in North America
"The malware was designed to collect certain payment card
information, including cardholder name, payment card number,
security code and expiration date,"
Similar examples of Hotels being targeted by malware on their
payment systems:
• Trump Collection
• Mandarin Oriental Hotels

Wendy’s Card Data Breach
As many as 6000 locations were affected by the breach in
December 2015
Jimmy John's, Rainforest Cafe, Morton's, P.F. Chang's, and Dairy
Queen have been victims of credit card hacks since 2014.
"Traditionally [POS systems] have been some of the weakest
spots [in a restaurant's operations... because restaurant
owners] tend to do really sloppy things like enable the same
password for each system.“, Security Experts.
In all the above cases, Cards impacted by this event appear to
be those swiped at the stores, and did not include those cards
entered manually or online.

LoopPay Attack and Breach
LoopPay, a small Massachusetts subsidiary of the South
Korean electronics giant, was the target of a
sophisticated attack by a group of government-
affiliated Chinese hackers (Codoso Group).
The attackers are believed to have broken into LoopPay’s
corporate network, but not the production system that helps
manage payments, said Will Graylin, LoopPay’s chief executive
and co-general manager of Samsung Pay.
LoopPay executives said the Codoso hackers appeared to have
been after the company’s technology, known as magnetic
secure transmission, or MST, which is a key part of the Samsung
Pay mobile payment wallet

Other facts
As well, ownership for payment data security is not centralized, with 28% of respondents saying responsibility is with the
chief information officer, 26% saying it is with the business unit, 19% with the compliance department, 15% with the
chief information security officer and 14% with other departments.
Hackers are targeting the latest technology in mobile payments
According to the independent study, 55% said they did not know where all their payment data is stored or located.
Senior threat researcher Numaan Huq who spoke about the current PoS security landscape, explained POS malware still
remain a threat despite the newer payment technologies.
With the recent introduction of new payment technologies such as EMV and RFID contactless cards, business are
expected to upgrade to new secure payment systems. However, attackers will attempt to come up with new strategies
against these improved systems and environments.

How to Secure Payment Environment
 Payment Security Standards – PCI DSS, PA DSS and PCI PIN
 Training - Get the teams trained on Payment Security Implementation
 Payment Security Risk Assessment
 Payment Data Discovery
 Effective Segmentation in between Payment data and Non payment data.

OS Hardening –
• Deploying DB in the same
server
• Patch management
• Firewall – securely configuring
the FW is more important
• IPS – configure it for dropping the
packets
• VAPT
• Web App PT
• Firewall Rule review
• Encrypting the DB credentials
• Storing truncated PAN, instead
of full PAN and CVV2
Process
Application
Server
Network
PCI Security Layered Approach

PCI for
Protecting
PaymentsSISA Information Security

Thank You!
Please feel free to write any questions to dbs@sisainfosec.com

New trends in Payments Security: NFC & Mobile

More Related Content

What's hot

Viewers also liked

Similar to New trends in Payments Security: NFC & Mobile

Recently uploaded

New trends in Payments Security: NFC & Mobile