Innovation Exposes Payment Vulnerabilities

Guy Berg, Vice President, Payments, Standards, and Outreach Group, Federal Reserve Bank of Minneapolis
Guy Berg, Vice President, Payments, Standards, and Outreach Group, Federal Reserve Bank of Minneapolis

Guy Berg, Vice President, Payments, Standards, and Outreach Group, Federal Reserve Bank of Minneapolis

Innovations in technology are permeating almost every aspect of our lives, from how we communicate with friends and family, navigate in cars, read books, make purchases and much more. Not only do technology innovations impact us personally, but they can also have broad societal impacts that go undetected for years. For instance, who could have predicted the use of Facebook by hostile foreign agents attempting to influence election outcomes? This is just one example of many illustrating how innovation that provides great personal and commercial benefits can also be applied maliciously at the expense of society. Unfortunately, banking and payments are not immune to harmful applications of new technologies. We are just now recognizing the scale of the vulnerabilities exposed and the actions required mitigating attacks that exploit technology innovation.

What innovations are the root causes of most of the payment fraud challenges we face today? The Internet is the most obvious one. The Internet has increased both system to system and email connectivity among businesses. It has also enabled greater connectivity among individuals through email and social media applications like Facebook, LinkedIn and Twitter. This enhanced connectivity has provided innumerable benefits to business and society as whole, but it has also empowered criminal elements searching for ways to penetrate your systems and steal valuable payments and personal identifiable information (PII) that can be used to commit payment fraud.

  Chips embedded in credit, debit and prepaid cards enable dynamic data authentication for in-person purchases 

The primary vulnerabilities exposed by the Internet are twofold: first, system and data access security, and second, the risk associated with including sensitive payment information within transactions (as opposed to masked account information). The Internet has provided an ideal environment in which criminals from Eastern Europe, China or anywhere in the world looking to steal payment data can perform large scale automated attacks on systems anonymously, with low risk of getting caught and prosecuted. Prior to the Internet exposure risk of payment account data already presented vulnerability, but it was much more difficult to access the data and attacks were not scalable, thus minimizing the risk exposure.

Data stolen through data breaches, along with employment and family history information stolen from social media sites like LinkedIn and Facebook and via phishing schemes, have all been enabled by the broad adoption of Internet. This information can be used to steal or guess payment credentials to initiate fraudulent transactions fraudulently apply for new accounts or penetrate accounts already held on merchant sites. Using breached data and information stolen from social media sites, criminals utilize many devious methods to commit payment fraud.

A remote electronic payment is another internet enabled innovation which is at the root of growing payments fraud. Remote electronic payments made on home computers, tablets and mobile phones have revolutionized how people shop, introducing the convenience of shopping from anywhere. Consequently, remote electronic payments are now both the fastest growing form of payment and the fastest growing form of payment fraud. When the customer is not present in-person to make the purchase, it greatly increases the complexity of authenticating the cardholder.

The primary vulnerability exposed by remote electronic payments is the reliance on static data to authenticate a transaction. That is, the same account information is used for every transaction: it does not change. As a result, once the payment information is acquired it is easy to perform a fraudulent transaction. Furthermore, this fraud is extremely difficult to detect.

To address the risk posed by static authentication, in 2015 the U.S. began migration to chip cards. Chips embedded in credit, debit and prepaid cards enable dynamic data authentication for in-person purchases. This means that unique data, secured with cryptography, are generated for every transaction. The outcome is improved detection and mitigation of fraudulent transactions, in particular for counterfeit card fraud. Unfortunately, chip technology is not readily applicable to remote payments so the industry is feverishly searching for new solutions that can be broadly adopted cost effectively to enhance remote authentication capabilities.

As they say, the train has left the station, so the Internet and remote payments are here to stay. Usage of both will grow even faster in the years to come and protecting data will become more difficult than ever. The good news is that there are viable ways to curb payment fraud resulting from them. The question is, how long will it take for payment industry stakeholders to make some tough decisions to remove account credentials from payment transactions to eliminate the utility and value of data breaches? And how long will it take payment industry stakeholders to agree upon the best approach to strengthen remote payment authentication? The technology exists to resolve these vulnerabilities. It is achieving collaboration across payment a industry stakeholder that is the greatest challenge.

Read Also

A New Approach to Security

A New Approach to Security

Donald Meyer, Head of Product Marketing, Cloud and Data Center, Check Point Software Technologies
Understanding Insurance Security

Understanding Insurance Security

Sean Murphy, VP & CISO, Premera Blue Cross