The game of one-upmanship that many of us learned by reading Mad magazine’s Spy vs. Spy cartoon strips as children is analogous to the security industry’s fight against the “bad guys.” Even as banks are constantly improving the technology used to protect credit cards and financial transactions, anti-fingerprinting for browsers and other crimeware are becoming increasingly popular as reported by Krebs on Security.
Payment service providers and online stores use fingerprints to block illicit transactions based on observed behaviors and patterns. These anti-fingerprinting and crimeware tools allow fraudsters to spoof their browser components (like browser type, version, OS, processor type, and time zone) to deceive security mechanisms that rely on browser fingerprinting capabilities. In the article on Krebs on Security, there is even a link to a video that shows a demo of how to use one such tool and a stolen credit card to buy software titles worth more than $200 online.
The Card-Fraud Modus Operandi
As long as businesses allow the customers to use credit cards without physically presenting the card, technology like smart chips will not be able to prevent fraud. As Krebs points out, “card not present” fraud will likely increase as more and more banks in the United States use cards with embedded chips. As with anything else in security, this is an industry-wide problem that requires the collective abilities of enterprises that handle personal financial and credit card data to provide the necessary security measures.
The modus operandi of cybercriminals seems fairly consistent: infiltrate the porous perimeter at a vulnerable online merchant, install some form of card-stealing malware, spread the attack inside the network to ensure that the “information harvest” is maximized, make away with the bounty, and then quietly post the card details for purchase in underground carding shops.
An Ounce Of Prevention
A vast number of enterprises continue to spend 80% of their security dollars to protect 20% of the traffic—I call this the paradox of the perimeter. The reality is that the largest volume of traffic occurs inside the data center between different systems that store, access, and process card information. To help prevent card theft, enterprises need to better secure the insides of their data centers. Compliance standards like the newest PCI DSS 3.0 help, but the implementation of the guidelines is still in the hands of security architects. Enterprises should consider the following strategies to secure their sensitive card handling systems:
- Stay on top of payment card industry standards and their recommendations.
- Gain systems and transactional visibility inside their data centers and clouds to know where sensitive data is being handled.
- Invest in security technology that provides easy ways to segment systems inside data centers.
- Provide policy-based encryption of data in motion and data at rest.
- Lock down transactions to the narrow set of permitted flows to prevent lateral movement from potentially compromised systems.
The responsibility to break the Spy vs. Spy logjam with financial information and credit card security rests on the industry’s ability to recognise that our security models may need to be revisited to better counter the sophistication of the bad guys.